this post was submitted on 02 Feb 2026
349 points (99.7% liked)

Technology

79985 readers
3683 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
349
Notepad++ Hijacked by State-Sponsored Hackers (notepad-plus-plus.org)
submitted 1 day ago by Beep@lemmus.org to c/technology@lemmy.world
60 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] elvith@feddit.org 54 points 1 day ago (1 children)

From my understanding: Basically the attackers could reply to your version check request (usually done automatically) and tell N++ that there were a new version available. If you then approved the update dialogue, N++ would download and execute the binary from the update link that the server sent you. But this didn't necessarily need to be a real update, it could have been any binary since neither the answer to the update check nor the download link were verified by N++

[–] HeyJoe@lemmy.world 11 points 1 day ago (1 children)

Thats what i was thinking, but there is no mention on if this did happen and if it did what did was compromised or allowed to happen.

[–] ryannathans@aussie.zone 11 points 1 day ago (1 children)

How would n++ devs know?

[–] Bane_Killgrind@lemmy.dbzer0.com 18 points 1 day ago (1 children)

Expanding on this: the exploit was against their domain name, redirecting selected update requests away from the notepad++ servers. The software itself didn't validate that the domain actually points to notepad++ servers, and the notepad++ update servers would not see any information that would tell them what was happening.

Likely they picked some specific developers with a known public IP, and only used this to inject those specific people with malware.

[–] isVeryLoud@lemmy.ca 8 points 1 day ago (2 children)

So the solution would have been an SSL certificate check on the client side.

[–] MangoCats@feddit.it 5 points 19 hours ago

That's what they say they rolled out, after: "Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer"

[–] Bane_Killgrind@lemmy.dbzer0.com 6 points 23 hours ago (1 children)

Can't tell if that would have helped

which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers

They could have just piped the binaries though the same server since they had this level of access. They would have had months to figure it out.

[–] isVeryLoud@lemmy.ca 6 points 23 hours ago (1 children)

Oof, I thought it was just a DNS hijack. If they had access to the server, it's game over regardless.

[–] Kissaki@feddit.org 3 points 22 hours ago (1 children)

It's not game over regardless if the updater checks a signature of the update installer. Them it wouldn't run an installer by someone else.

[–] isVeryLoud@lemmy.ca 1 points 22 hours ago (1 children)

That's true, assuming they didn't also put their private keys on the server

[–] elvith@feddit.org 3 points 20 hours ago

As the hoster wrote this:

we immediately transferred all clients’ web hosting subscriptions from this server

It looks like the binaries and the update check script were put on a simple web space. If that is the correct conclusion to draw from this excerpt, then it'd be rather strange to have the keys on that server as it's very unlikely that it was used to produce any builds.