Suspected China-state hackers used update infrastructure to deliver backdoored version.
Stop using Notepad++ This KEEPS happening; we’ve completely banned the app in our office. The devs keep using outdated and insecure C++. Use a proper, modern editor like
microorzedIf you’re worried that this may have hit your PC I’d say first of all be aware that this is a state-level backdoor, intended to be persistent and evade detection. You are likely not the target and are very unlikely to find any evidence even if you were targeted, as it is capable of clearing its tracks.
Actions I’d suggest if you’re still worried this could have hit your PC:
- Grab the list of Indicators of compromise from the bottom of this article. Disconnect the PC from the Internet now that you have the list.
- Search for any instances of these files locally and SHA-256 hash them if found, and match to the hashes on the list. If you find any matches, your system is compromised.
- Check the DNS cache for any hosts mentioned in the indicators, and if you have network traffic logging you could check there also. Indicators are very likely signs of prior/active attack on your PC.
- If nothing found, reconnect to the net and continue…
- uninstall Notepad++, or if you want to keep using it, update Notepad++ via a method other than their internal update method. I suggest powershell using winget as its preinstalled in Win10 & 11.
PS > winget list -q Notepad++ (will show you available updates) PS > winget upgrade -q Notepad++ (Will install the update if available)- (Optional) disable Notepad++ internal update mechanism, and use winget or another method moving forward. Settings -> Preferences -> MISC: Auto-updater: Disable.
The protection of dismissing the update dialogue because it appears at start up, which is when I need to get something done. I guess I’ll just manually update it from now on.
suspected China-state hackers who used their control to deliver backdoored versions of the app to select targets, developers said Monday.
I think its unlikely most people were infected as the article makes it sound like they were focused on targeting specific individuals / organizations.
This advice is not accurate:
The Rapid 7 post says if you have a hidden folder in “%AppData%” named Bluetooth. You got hacked. So if you don’t have said folder, you’re good.
Their post says that the Bluetooth hidden folder in AppData was only used as the initial access vector.
After initial access, an advanced persistent backdoor they’ve named “Chrysalis” is delivered and installed via significantly obfuscated methods to minimize chance of detection. The backdoor allows arbitrary code execution via a CMD.exe reverse shell, with additional modes for remote file write, read, and a full self-removal mechism that attempts to delete any trace it was ever on the system.
The Indicators of compromise section at the bottom contains a list of any files you can check for on your system, and their corresponding SHA-256 values, as well as network indicators if you have logging or wish to check your DNS cache. If you have any files that match or other indicators, then your system is/was compromised. But there is a very good chance that many systems which were compromised now have no remaining trace of breech.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
This doesn’t seem like this is an attack that should work.
How did this bypass signature verification, sure you can send a malicious update… but unless you have the package maintainer’s private keys you can’t sign it so it would be thrown out by the package manager?
The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign.
used a self signed root cert,
Oh, it’s Windows software.
All of this would have been easily avoided by its users if they had just listened to the enlightened and switched to vim
I’d rather never turn my computer on again and run away to live in the woods than use notepad++
Vim is a chore to learn, most people just want simple notepad replacement when they don’t need full IDE.
Vim is hardly an IDE unless you have added a shitload of plugins (which is fine if you want to do that, arguably a plus to have the option)
Notepad++ is way too bloated for a “simple notepad replacement” and often lacking when you need something more serious than that
Although I guess vim never shipped with malware, so I guess it’s lacking in that particular notepad++ feature
I feel like you misunderstood me on purpose… Most people use Notepad++ in conjunction with IDE not as replacement for it.
Vim doesn’t work as simple text editor without spending enourmous amount of time learning all the commands. Even long time users have cheat sheets nearby…
Notepad++ works for many people despite the bloat. Anyone can start immediately, no guidance needed, can’t say the same for vim.
Well vim instead shipped vulnerability that allows arbitrary code execution (CVE-2025-66476)… So I guess both are not perfect.
I feel like you misunderstood me on purpose…
Funnily enough I thought you were playing along with the bit, so I guess I misunderstood
Figured “enlightened vim user” was a bit more of a giveaway than it apparently is
Can you give examples where you think it’s too bloated and where it lacks features in comparison to vim?
