Very unlikely even if i keep my bias against MS aside that their servers are getting compromised.
Notepad++ updater installed malware
- Thread starter Kongo
- Start date
That has no relation to their hosting getting compromised and distributing malware.
GitHub - BengaminButton/XillenStealer: XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer
XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer - BengaminButton/XillenStealer
github.com
Personally, I am very careful when using even the whole installer downloaded from github, regardless how popular is the app.That has no relation to their hosting getting compromised and distributing malware.
See a open source stealer is on github from Oct. There were open conversations on X but nobody reported it to github bcoz it is perfectly fine.
GitHub - BengaminButton/XillenStealer: XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer
XillenStealer V4.0 - Professional cross-platform Python stealer builder with modern UI and comprehensive features. V5.0 - t.me/XillenStealer - BengaminButton/XillenStealer
Ultimately, github account is just like any other account (MS, G, ...), could be breached and hosted material can get compromised.
I use installers from github when there is no other alternative; if SAC/WDAC did not like the installer, I seek an alternative app, even if meeting my requirements less than the hosted one.
Right.
Try this to understand a little better.
Go to the link below:
Release 2026.111.1925 · uBlockOrigin/uBOL-home
download uBOLite_2026.111.1925.firefox.signed.xpi to your PC.
change xpi to zip extract to a folder and then open manifest.json
You will see a line of code where the uBoL update for Firefox is downloaded from Github.
It may seem dangerous to you.
It is the digital signature with which Gorhill signs uBoL for Firefox that makes the difference.
You compare a big tech like Mozilla to a freelance developers regarding taking care of their download servers, even if it is github?Right.
Try this to understand a little better.
Go to the link below:
Release 2026.111.1925 · uBlockOrigin/uBOL-home
download uBOLite_2026.111.1925.firefox.signed.xpi to your PC.
change xpi to zip extract to a folder and then open manifest.json
You will see a line of code where the uBoL update for Firefox is downloaded from Github.
It may seem dangerous to you.
It is the digital signature with which Gorhill signs uBoL for Firefox that makes the difference.
Last edited:
That file I wrote to you is not in AMO, it's in Github.
I have to go to dinner.
My wife has already called me twice... never exceed this limit.
Have a good evening, everyone.
bon appétitThat file I wrote to you is not in AMO, it's in Github.
I have to go to dinner.
My wife has already called me twice... never exceed this limit.
Have a good evening, everyone.
Is it anyway possible that one of the reasons the Chinese state-sponsored group attacked Notepad++ because the developer is Taiwanese by nationality and has always used his software to spread his political messages; mostly against China but also Russia, lately Elon Musk, and so on. Interestingly he never said anything about the Israel vs Gaza situation or Iran's regime; so his so-called virtue signaling empathy is rather selective, not universal.
I never like it when devs use their software to spread their political views and messages. It unnecessarily makes the software a target, and the users become victims.
Political opinions should be reserved for personal blogs, social medias and similar platforms. It should not come with software changelogs. It's more common in the Linux world.
I see that this first happened in June 2025. I don't know if I had updated Notepad++ using the built-in updater since then. I usually use, sudo winget upgrade --all when updates are available but once or twice I have used the built-in updater tools also.
I have since reinstalled my Windows so I don't have a way to know if I was affected by this.
I still have Notepad++ installed but switched to using Sublime Text as my default text editor 2-3 months ago.
A deep-dive and IOC's have been published recently,
I never like it when devs use their software to spread their political views and messages. It unnecessarily makes the software a target, and the users become victims.
Political opinions should be reserved for personal blogs, social medias and similar platforms. It should not come with software changelogs. It's more common in the Linux world.
I see that this first happened in June 2025. I don't know if I had updated Notepad++ using the built-in updater since then. I usually use, sudo winget upgrade --all when updates are available but once or twice I have used the built-in updater tools also.
I have since reinstalled my Windows so I don't have a way to know if I was affected by this.
I still have Notepad++ installed but switched to using Sublime Text as my default text editor 2-3 months ago.
A deep-dive and IOC's have been published recently,
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.
www.rapid7.com
Kaspersky will flag it PUP
Should be reserved for family and real-life friends; on MT, I always avoid any politically-flavored discussion; no one will succeed to convince the other with his/he pov, you only get more enemies.
But this is not the world we live in. Developers have political views and opinions and have a platform to share those views. I don't blame them for doing so.
When people say keep politics out of security forums or any forums they really mean 'I have strong political views, I'm right, your wrong and I'm not going to listen to you'.
There is a time and place I agree with politics, but unless you acknowledge the influence of politics on cyber security and how it influences policy and so on you get nowhere.
This how it looks after applying registry changes by the cmd filesThank you ! I cannot like your post so doing it here
This explains wars.
The platform if for sharing work; they can share their political opinions, family photos, and religious beliefs with their family and close friends on a FB account limited to those.
Only politician who need to shart their political opinions on public accounts; they do their jon then, just as the developer has to do the job of making apps.
We already have enough quarrels on MT; definitely a new reason for more quarrels is not required
The only justification for mentioning something political on MT is to describe the context for some cyber-attacks.
Hence why I said time and a place, there better places to talk politics like X and Reddit.This explains wars.
The platform if for sharing work; they can share their political opinions, family photos, and religious beliefs with their family and close friends on a FB account limited to those.
Only politician who need to shart their political opinions on public accounts; they do their jon then, just as the developer has to do the job of making apps.
We already have enough quarrels on MT; definitely a new reason for more quarrels is not required
The only justification for mentioning something political on MT is to describe the context for some cyber-attacks.
This forum is pretty civil and tame though. We get the odd troll but they usually get bored and leave quickly. People get along here pretty well, everyone is polite.
As far as they can tell, they "selectively" targeted users in "East Asia." It would make sense about the Taiwanese; I wasn't including the Taiwanese in the East Asian group and was wondering why the APT would go after the mainland Chinese. If the report holds true, other parts of the world have to worry less.
Yeah, political messages anywhere nowadays can come back to bite you in the a** in this day and age. Dystopias coming true.
You mean a custom attack against a certain locoregional range of IP addresses?
I meant to say, of course, they can share their views but rather in their personal social media accounts and such if they want. For example, the Julian Assange case was also political and I have seen the uBO creator Raymond Hill share his views regarding the treatment of Julian Assange on his X account more than once. He was always in support of him. But he never brought those into uBO changelogs or any other uBO-related discussions.
Softwares, especially good free softwares are created for all, used by people of all backgrounds. So bringing politics into them can often create unnecessary problems.
What users and organizations should do now
The most important step is to move away from older update paths and upgrade to a version that consistently enforces signature and certificate verification.
- Manually upgrade to a current Notepad++ version and obtain installation files only from official sources.
- Where possible, verify the installer’s digital signature and compare checksums against the official release artifacts.
- If a self-signed root certificate for Notepad++ was installed in the past, remove it and clean up the trust chain.
- In enterprise environments, tune telemetry and EDR rules to detect suspicious process chains around update workflows, especially when installers are launched from temporary directories.
- If an update is aborted, review the security error log and centrally correlate suspicious anomalies.
Notepad++ Hijacked Incident Update - Ilja Schlak InfoSec Blog
Notepad++ Hijacked Incident Update. WinGUp updates were selectively redirected. Learn how to verify signatures and safely upgrade to v8.9 or later. Since then, Notepad++ has significantly hardened the update process with signature and certificate checks.ilja-schlak.de
You may also like...
-
eScan confirms update server breached to push malicious update- Started by andytan
- Replies: 43
-
SmartTube YouTube app for Android TV breached to push malicious update- Started by Gandalf_The_Grey
- Replies: 6
-
Emojis in PureRAT’s Code Point to AI-Generated Malware Campaign- Started by Brownie2019
- Replies: 11
-
Malware bypassed macOS Gatekeeper by abusing Apple's notarization proccess- Started by enaph
- Replies: 1
