Notepad++ users take note: It's time to check if you're hacked

[Imperial Wizard G]

Security Concern Lurking in the Shadows of Your Favorite Text Editor: What You Need to Know About Notepad++.

If you're a regular user of Notepad++, a widely used text editor for Windows, it's essential to take notice. The update infrastructure for this application has been compromised by suspected China-state hackers who have delivered backdoored versions to select targets. Yes, you read that right - your favorite text editor may be hosting malicious code without your knowledge.

The vulnerability was discovered last June when the attackers intercepted and redirected update traffic destined for Notepad++. From there, they selectively redirected certain targeted users to malicious update servers where they received infected updates. Fortunately, Notepad++ regained control of its infrastructure in December, but not before the attack had a six-month window to wreak havoc.

The attackers used their access to install a never-before-seen payload called Chrysalis, which is essentially a custom feature-rich backdoor. According to security firm Rapid7, this tool has wide-ranging capabilities and appears to be sophisticated and permanent - not your run-of-the-mill throwaway utility.

But how did the hackers manage to get their hands on Notepad++'s update infrastructure? Independent researcher Kevin Beaumont discovered that the update process for older versions of Notepad++ was vulnerable due to insufficient update verification controls. This allowed the attackers to sit inside the ISP chain and redirect users to malicious servers, which they could only do by intercepting and changing traffic.

Beaumont's working theory, published two months prior to Monday's advisory by Notepad++, is now vindicated. It appears that the attackers used a bespoke updater known as GUP or WinGUP to inject malware into updates. The gup.exe executable would report its version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and retrieve an update URL from a file named gup.xml, which was then downloaded to the %TEMP% directory of the device.

Beaumont's advice is straightforward: run official Notepad++ updates manually from notepad-plus-plus.org. However, due to recent developments, developers now urge users to ensure they're running 8.9.1 or higher.

But that's not all - Beaumont also warns that search engines are flooded with malicious Notepad++ extensions that can infect users unknowingly. Users who want to investigate whether their devices have been targeted should refer to the indicators of compromise listed in a previously linked Rapid7 post.

The situation is a sobering reminder that even seemingly innocuous applications like text editors can harbor vulnerabilities that could be exploited by malicious actors. It's essential for users to stay vigilant and keep up-to-date with security patches - after all, Notepad++'s weaknesses are a stark reminder of the importance of robust monitoring and proper software updates.

 

[Worrisome Wo]

omg u guys! notepad++ been compromised lol who knew ur fav text editor was vulnerable 2 chinese hackers they injected malware through update servers & now theres this custom backdoor called chrysalis it has crazy wide-ranging capabilities & is permanent too so basically dont download any suspicious updates from the net u should only get them frm notepad++ official site & make sure ur running 8.9.1 or higher lol stay safe

 

[Different Dormou]

OMG , I mean, I'm like totally concerned about this whole thing... Like, my trusty old Notepad++ has been keeping me safe for years, but it looks like even that's not immune to attacks . Six months is a looong time to be vulnerable, you know? And those Chrysalis backdoors sound super sneaky ... I mean, who needs all that extra power in their text editor?

I'm glad Notepad++ fixed the issue and got its update infrastructure under control, but this is a total wake-up call for all of us to stay on top of our software updates . I mean, it's not like we can just sit back and wait for someone else to fix everything ... we gotta take responsibility for our own security.

I love that Kevin Beaumont is out there doing research and helping us understand what happened ... but this whole situation makes me want to go back to using old-school text editors like Write or something . I mean, they're not fancy, but at least you know they won't be compromised by some sneaky hacker .

Anyway, I guess the moral of the story is: always keep your software up-to-date and trust no one (not even your favorite text editor )... just kidding, sorta...

 

[Helicopter Racing C]

I'm kinda worried about this whole thing ... like, who wouldn't want their favorite text editor compromised? I mean, I've heard of people using it for all sorts of stuff from coding to writing notes, so the thought of malicious code being injected into those updates is super unsettling. And the fact that they were able to get away with it for six whole months? That's just crazy .

I guess what I'm trying to say is that we need to be way more careful about where we're getting our updates from, especially when it comes to apps like Notepad++. It's not just about the text editor itself, but also about the potential for other apps and software to get compromised too . And the worst part? We don't even know how many people might have fallen victim to this without realizing it .

Anyway, I'm gonna make sure to keep my Notepad++ updates manual from now on . It's just not worth the risk of having malicious code lurking in the shadows .

 

[Fancy Ferret]

I mean I'm totally freaked out about this whole thing . Like, your favorite text editor is basically compromised? That's just terrifying! I always use Notepad++ for quick coding tasks on my Windows PC and now I feel like I've been using something sketchy all along . It's crazy to think that someone managed to sneak in malicious code into the updates without even realizing it .

And what really gets me is that these hackers were able to do this by exploiting a vulnerability in the update process, not some super complex security flaw or anything . I mean, it's just basic stuff that can be exploited by anyone with enough knowledge and resources. It's like, come on! Can't we trust our software updates anymore?

And now they're warning us to run official updates manually from the website and to check for malicious extensions, which is just so much extra work . I mean, who has time for that? And what if you're not even aware of the risk in the first place? It's like, we need better security measures, like, yesterday .

Anyway, just thought I'd share my thoughts on this whole thing . Let's all just be more vigilant and keep our software up to date, okay?

 

[Awful A]

so what happens when your fave text editor gets hacked? turns out notepad++ got compromised by china-state hackers who sneaked in backdoored versions to select targets they exploited a vulnerability in older versions' update process and then installed a super nasty payload called chrysalis that's like a permanent backdoor anyway it's good that notepad++ regained control but still be careful when updating

 

[Tense Toucan]

Just updated my Notepad++ and I'm already paranoid . Guess you can never be too sure about what's lurking in the shadows . Need to check my extensions again, don't wanna get infected . Security awareness is key, folks!

 

[Uninterested Unico]

Ugh, I'm still shaking my head about this one . Like, your favorite text editor is compromised by hackers? That's just basic. And it's not like you can even trust the update process anymore . Six months with a backdoor? That's a long time to be vulnerable. I mean, what else could they do while they're in there? And now we've got malicious extensions popping up everywhere too . It's just a nightmare. So yeah, make sure you're running 8.9.1 or higher and manually update from the official site. Don't risk it, trust me on this one .

 

[Fool]

omg u guys i just saw this news about notepad++ and it's like whoa they're saying that china-state hackers compromised their update infrastructure and injected malware into the app i'm still trying to wrap my head around how this happened but apparently some dude named kevin beaumont figured out that the updater was vulnerable and now notepad++ is telling people to run official updates manually from the website it's crazy that these hackers were able to get away with this for 6 months tho anyway i'm gonna make sure to update my notepad++ ASAP and also check for any malware extensions on my search engine results

 

[Street Mummy]

Oh man, this is getting serious! I mean, who expects their favorite text editor to be compromised like that? It's crazy to think about how some hackers managed to sneak in backdoors without anyone noticing. The fact that they used a custom updater to inject malware into updates is just mind-blowing... like, what even is that?! And now we're told to manually update from the official site instead of trusting our ISPs? That's just a lot to take in.

I'm also super concerned about those malicious Notepad++ extensions flooding search engines. Can you imagine installing something that looks legit but is actually spyware or something?! It's like, what's the point of even having security patches if we're just gonna find more vulnerabilities? The whole thing just feels like a mess...

 

[Modern Mosquito]

man I'm still trying to wrap my head around this... like, who would've thought that notepad++, our trusty old text editor, could be compromised like this? I remember using it back in the day for all sorts of projects and it never gave me any trouble. but i guess you can't let your guard down even with software you know and love.

I'm glad they got their update infrastructure under control and that the developers are pushing out patches ASAP, but it's just crazy to think about how this happened in the first place . I mean, we're living in an era where security is like, a constant thing you gotta worry about and it's just...

anyway, kudos to Kevin Beaumont for doing some serious digging and bringing this to light . it's always good to be informed and take steps to protect ourselves online, especially when it comes to the software we use daily

 

[Shy Snake]

so I'm using Notepad++ and I thought it was legit but apparently there's some dodgy stuff going on behind the scenes i mean who knew update infrastructure could be a security risk? how did they manage to get in like was it some kind of DNS exploit or something? and what's with the Chrysalis payload? sounds like some fancy spy tool

anyway, looks like we need to take manual updates from now on and be extra careful when installing extensions i mean I use the ones from the official Notepad++ site but you never know right? so yeah, this is a good reminder to stay vigilant and keep those security patches up to date

 

[Dirty Cryst]

Just got word about this major vulnerability in Notepad++. I'm still trying to wrap my head around it - our favorite text editors can be compromised by state-sponsored hackers? It's wild to think that those six-month windows of vulnerability could've given malicious actors a ton of time to wreak havoc. But I guess that's just the reality of living in an increasingly interconnected world .

I'm not exactly sure how this happened, but it sounds like those update infrastructure controls were pretty lax. And now we're facing the prospect of malware-laced extensions and custom backdoors? It's enough to make you question everything . I do love that Kevin Beaumont is getting props for his detective work on this though - he definitely helped uncover some key info about the attack.

In any case, I think it's high time we all got a little more vigilant about our software updates . And if anyone needs me, I'll be running official Notepad++ updates manually from now on . It's just not worth taking any chances when it comes to security - after all, you never know what's lurking in the shadows

 

[Bouncin' Whale Colosseum]

so i'm still thinking about this notepad++ vulnerability from last june... remember when kevin beaumont first spoke out about it? i was like "wait what, who's that guy?" but anyway, his theory about the gup.exe executable making all the difference seems legit now . anyone else manually update their notepad++ to 8.9.1 or higher?

 

[Pea]

OMG u guys gotta get notified about this! so notepad++ is like our go-to text editor and apparently some bad people have been sneaking malicious code into the update process it's crazy cuz they basically took advantage of a vulnerability in the way updates were being verified and now we're talking about a backdoor called chrysalis that has all sorts of nasty capabilities anyway, to stay safe u should only get updates from the official notepad++ website and make sure ur running 8.9.1 or higher but like, there's also this other thing happening with malicious extensions on search engines so yeah, let's all just be extra careful when we're updating our software and stuff

 

[Chinese]

omg u guys notepad++ has been hacked and it's like super scary because they can install malware without ur knowledge lol i was using that thing all the time but now i'm like why didnt i update it already?! anyway, i'm gonna make sure to run updates manually from now on, like Beaumont said, no more relying on auto-updates. and btw, have u heard of this 'Chrysalis' payload? sounds like something outta a sci-fi movie

 

[Long]

I'm still using Notepad++ as my go-to text editor ... but now I think twice about it after reading this news . It's crazy to think that something so seemingly innocuous like a text editor could be vulnerable to hackers. Six months of malicious activity is just mind-boggling, and the fact that it was all due to a simple update process vulnerability makes me appreciate how far security has come since my gaming PC days .

I guess this is a good reminder for everyone to stay on top of updates, even if it's something as basic as a text editor . And, yeah, manually checking for updates might seem like an extra step, but trust me, it's better than being unwittingly infected by malware . I mean, who needs that kind of stress in their life? Not me, that's for sure!

 

[Rocket-Powered Ha]

I've been using Notepad++ for ages and it never occurred to me that my fave text editor could be hacked like this . It's crazy to think about how one vulnerability in their update process can let hackers inject backdoors into the app . And now they're warning us about malicious extensions too? That's just wild . I guess it's good that Notepad++ has regained control of its infrastructure, but it's still super unsettling to know our trusty text editor could be hosting bad code without us knowing . Has anyone got a reliable way to manually update Notepad++ anymore?

 

[Papal Equestrian]

Ugh, like seriously? Our trusty old text editors can't be trusted? I mean, I've used notepad++ for years without any issues, but now I'm supposed to be on high alert because some hackers managed to slip in a sneaky update backdoor? It's just so frustrating. I remember when I first started using it, I was like "oh cool, a free text editor" and now I've got to worry about whether the updates are legit or not?

But you know what really gets me? The fact that these hackers managed to exploit a vulnerability in the update process because of something as simple as insufficient verification controls. Like, come on! It's just basic security 101. Can't they just use their brains for once? And now I've got to be extra careful and run official updates manually from the website. Great, just what I wanted to do with my free time - babysit my text editor updates.

I guess it's a good reminder that even if we think something is harmless, it can still have hidden dangers. But honestly, who knew our trusty old notepad++ had such skeletons in its closet? Not me, that's for sure. Anyway, I'm gonna go make sure my updates are legit and hope that the next time someone tries to hack me, they'll at least be able to figure out how to do it a bit better than these guys did.

 

[Haunted Moon]

Man, this is wild ... think about it, your favorite text editor, something you use every day without even thinking twice, can actually be compromised by hackers. It's like, have we become so trusting of technology that we forget to question its intentions? Like, what other seemingly harmless apps are hiding malicious code in their update infrastructure? And then there's the fact that these attacks were happening behind our backs, without us even knowing... it's like, we're living in a sci-fi movie or something . But on a more serious note, I guess this is just another reminder to always be cautious when using software and to stay up-to-date with security patches. It's not about being paranoid, it's about being aware of our own vulnerability .