Notepad++ updater installed malware

[Parkinsond]

Very unlikely even if i keep my bias against MS aside that their servers are getting compromised.

Github was reported several times to harbor malware!

 

[Khushal]

Github was reported several times to harbor malware!

That has no relation to their hosting getting compromised and distributing malware.

GitHub - BengaminButton/XillenStealer: XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer

XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer - BengaminButton/XillenStealer

github.com

See a open source stealer is on github from Oct. There were open conversations on X but nobody reported it to github bcoz it is perfectly fine.

 

[Parkinsond]

That has no relation to their hosting getting compromised and distributing malware.

GitHub - BengaminButton/XillenStealer: XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer

XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer - BengaminButton/XillenStealer

github.com

See a open source stealer is on github from Oct. There were open conversations on X but nobody reported it to github bcoz it is perfectly fine.

Personally, I am very careful when using even the whole installer downloaded from github, regardless how popular is the app.

Ultimately, github account is just like any other account (MS, G, ...), could be breached and hosted material can get compromised.

I use installers from github when there is no other alternative; if SAC/WDAC did not like the installer, I seek an alternative app, even if meeting my requirements less than the hosted one.

 

[Sampei.Nihira]

Github was reported several times to harbor malware!

Right.

Try this to understand a little better.
Go to the link below:

Release 2026.111.1925 · uBlockOrigin/uBOL-home


download uBOLite_2026.111.1925.firefox.signed.xpi to your PC.
change xpi to zip extract to a folder and then open manifest.json

You will see a line of code where the uBoL update for Firefox is downloaded from Github.

It may seem dangerous to you.
It is the digital signature with which Gorhill signs uBoL for Firefox that makes the difference.

 

[ForgottenSeer 123960]

The signature is the only thing that protects you when the server itself (GitHub) is compromised.

 

[Parkinsond]

Right.

Try this to understand a little better.
Go to the link below:

Release 2026.111.1925 · uBlockOrigin/uBOL-home


download uBOLite_2026.111.1925.firefox.signed.xpi to your PC.
change xpi to zip extract to a folder and then open manifest.json

You will see a line of code where the uBoL update for Firefox is downloaded from Github.

It may seem dangerous to you.
It is the digital signature with which Gorhill signs uBoL for Firefox that makes the difference.

You compare a big tech like Mozilla to a freelance developers regarding taking care of their download servers, even if it is github?

 

[Sampei.Nihira]

You compare a big tech like Mozilla to a freelancer developers regarding taking care of their download servers, even if it is github?

That file I wrote to you is not in AMO, it's in Github.
I have to go to dinner.
My wife has already called me twice... never exceed this limit.
Have a good evening, everyone.

 

[Parkinsond]

That file I wrote to you is not in AMO, it's in Github.
I have to go to dinner.
My wife has already called me twice... never exceed this limit.
Have a good evening, everyone.

bon appétit

 

[SeriousHoax]

Is it anyway possible that one of the reasons the Chinese state-sponsored group attacked Notepad++ because the developer is Taiwanese by nationality and has always used his software to spread his political messages; mostly against China but also Russia, lately Elon Musk, and so on. Interestingly he never said anything about the Israel vs Gaza situation or Iran's regime; so his so-called virtue signaling empathy is rather selective, not universal.
I never like it when devs use their software to spread their political views and messages. It unnecessarily makes the software a target, and the users become victims.
Political opinions should be reserved for personal blogs, social medias and similar platforms. It should not come with software changelogs. It's more common in the Linux world.

I see that this first happened in June 2025. I don't know if I had updated Notepad++ using the built-in updater since then. I usually use, sudo winget upgrade --all when updates are available but once or twice I have used the built-in updater tools also.
I have since reinstalled my Windows so I don't have a way to know if I was affected by this.
I still have Notepad++ installed but switched to using Sublime Text as my default text editor 2-3 months ago.

A deep-dive and IOC's have been published recently,

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

www.rapid7.com

 

[Parkinsond]

but also Russia

Kaspersky will flag it PUP

Political opinions should be reserved for personal blogs, social medias and similar platforms.

Should be reserved for family and real-life friends; on MT, I always avoid any politically-flavored discussion; no one will succeed to convince the other with his/he pov, you only get more enemies.

 

[Zero Knowledge]

Should be reserved for family and real-life friends; on MT, I always avoid any politically-flavored discussion; no one will succeed to convince the other with his/he pov, you only get more enemies.

Political opinions should be reserved for personal blogs, social medias and similar platforms. It should not come with software changelogs. It's more common in the Linux world.

But this is not the world we live in. Developers have political views and opinions and have a platform to share those views. I don't blame them for doing so.

When people say keep politics out of security forums or any forums they really mean 'I have strong political views, I'm right, your wrong and I'm not going to listen to you'.

There is a time and place I agree with politics, but unless you acknowledge the influence of politics on cyber security and how it influences policy and so on you get nowhere.

 

[Parkinsond]

Thank you ! I cannot like your post so doing it here

This how it looks after applying registry changes by the cmd files

 

[Parkinsond]

But this is not the world we live in

This explains wars.

Developers have political views and opinions and have a platform to share those views

The platform if for sharing work; they can share their political opinions, family photos, and religious beliefs with their family and close friends on a FB account limited to those.

Only politician who need to shart their political opinions on public accounts; they do their jon then, just as the developer has to do the job of making apps.

When people say keep politics out of security forums or any forums they really mean 'I have strong political views, I'm right, your wrong and I'm not going to listen to you'.

We already have enough quarrels on MT; definitely a new reason for more quarrels is not required

There is a time and place I agree with politics, but unless you acknowledge the influence of politics on cyber security and how it influences policy and so on you get nowhere.

The only justification for mentioning something political on MT is to describe the context for some cyber-attacks.

 

[Zero Knowledge]

This explains wars.

The platform if for sharing work; they can share their political opinions, family photos, and religious beliefs with their family and close friends on a FB account limited to those.

Only politician who need to shart their political opinions on public accounts; they do their jon then, just as the developer has to do the job of making apps.

We already have enough quarrels on MT; definitely a new reason for more quarrels is not required

The only justification for mentioning something political on MT is to describe the context for some cyber-attacks.

Hence why I said time and a place, there better places to talk politics like X and Reddit.

This forum is pretty civil and tame though. We get the odd troll but they usually get bored and leave quickly. People get along here pretty well, everyone is polite.

 

[Wrecker4923]

because the developer is Taiwanese by nationality and has always used his software to spread his political messages; mostly against China but also Russia, lately Elon Musk, and so on.

As far as they can tell, they "selectively" targeted users in "East Asia." It would make sense about the Taiwanese; I wasn't including the Taiwanese in the East Asian group and was wondering why the APT would go after the mainland Chinese. If the report holds true, other parts of the world have to worry less.

I never like it when devs use their software to spread their political views and messages.

Yeah, political messages anywhere nowadays can come back to bite you in the a** in this day and age. Dystopias coming true.

 

[Parkinsond]

As far as they can tell, they "selectively" targeted users in "East Asia."

You mean a custom attack against a certain locoregional range of IP addresses?

 

[SeriousHoax]

But this is not the world we live in. Developers have political views and opinions and have a platform to share those views. I don't blame them for doing so.

I meant to say, of course, they can share their views but rather in their personal social media accounts and such if they want. For example, the Julian Assange case was also political and I have seen the uBO creator Raymond Hill share his views regarding the treatment of Julian Assange on his X account more than once. He was always in support of him. But he never brought those into uBO changelogs or any other uBO-related discussions.
Softwares, especially good free softwares are created for all, used by people of all backgrounds. So bringing politics into them can often create unnecessary problems.

 

[Parkinsond]

Not necessarily.
https[:]//notepad-plus-plus.org/update/getDownloadUrl.php server was only compromised.

 

[Parkinsond]

What users and organizations should do now​

The most important step is to move away from older update paths and upgrade to a version that consistently enforces signature and certificate verification.

• Manually upgrade to a current Notepad++ version and obtain installation files only from official sources.
• Where possible, verify the installer’s digital signature and compare checksums against the official release artifacts.
• If a self-signed root certificate for Notepad++ was installed in the past, remove it and clean up the trust chain.
• In enterprise environments, tune telemetry and EDR rules to detect suspicious process chains around update workflows, especially when installers are launched from temporary directories.
• If an update is aborted, review the security error log and centrally correlate suspicious anomalies.

Notepad++ Hijacked Incident Update - Ilja Schlak InfoSec Blog

Notepad++ Hijacked Incident Update. WinGUp updates were selectively redirected. Learn how to verify signatures and safely upgrade to v8.9 or later. Since then, Notepad++ has significantly hardened the update process with signature and certificate checks.

ilja-schlak.de

 

[Wrecker4923]

You mean a custom attack against a certain locoregional range of IP addresses?

I don't know that; the original security researcher said "East Asia." Since it's geospecific, I was wondering about how and the IP addresses, since so far, they have identified the problems related to the Autoupdate mechanism only (still unclear mechanism of redirection, weak .exe validation, and no PHP validation).