Notepad++ Update Hijacked in Six-Month, State-Linked Supply-Chain Attack

Attackers have hijacked the update mechanism of Notepad++, one of the world’s most popular open-source text editors, delivering malware to targeted users over a period of six months.

In an advisory, developer Don Ho discussed how bad actors weaponized his two-decade-old project between June and December last year.

An update, said: “Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.”

The attack employed infrastructure-level compromise that enabled bad actors to intercept and redirect update traffic destined for notepad-plus-plus.org.

“The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests,” researchers wrote.

The breach raises questions about the security of open-source, and the vulnerability ...