Suspected state-backed hackers from China compromised the update infrastructure of Notepad++, a popular text editor for Windows, allowing them to deliver malicious versions of the software to specific targets for six months, according to developer reports.
In a post on the official Notepad++ website, the author apologized to affected users and detailed that the attack began in June. Hackers gained control by redirecting update traffic intended for the Notepad++ update site, allowing them to deliver backdoored versions to compromised devices. Notepad++ regained control of its infrastructure in December after the attack was detected.
The hackers utilized an advanced payload termed Chrysalis, characterized by its extensive features suggesting it was designed for long-term use rather than as a temporary tool. Investigators linked the malicious actors to the Chinese government and noted that they specifically targeted the Notepad++ domain, exploiting flaws in older versions of the updater.
Independent researcher Kevin Beaumont indicated that multiple organizations he spoke with reported experiencing security incidents related to Notepad++. In some instances, hackers managed to establish direct control over devices equipped with the software, suggesting a serious compromise within the networks of these organizations, which focus on East Asia.
Beaumont raised concerns about the vulnerabilities in the Notepad++ updater, particularly highlighted by the changes made in version 8.8.8 aimed at enhancing security. Previous versions lacked robust verification controls, making them susceptible to interception and redirection of update traffic.
Users are advised to verify they are utilizing the official version 8.9.1 or higher, downloading it directly from the official Notepad++ website. Beaumont also recommended that organizations consider restricting access to the Notepad++ updater or its main executable to enhance protection against potential future attacks.
The incident underscores the importance of adequate funding and resources for open source projects like Notepad++, which continue to be popular alternatives to official software, notably due to growing competition from new features introduced in native applications like Microsoft’s Notepad. Limited resources may have contributed to the oversight that allowed the six-month compromise to go undetected.
For more information include links to the official Notepad++ response and the Rapid7 analysis.
