February 1, 2026

Ctrl+C, Ctrl+Spy

Article URL →HN comments →

Notepad++ hijacked by state-sponsored actors

Beloved text app dragged into spy drama — users split on politics, hosting, and trust

TLDR: Notepad++ says its hosting was hacked, letting attackers redirect some update downloads; researchers suspect a China-backed group. Comments clash over politics vs. bad practices, push for stronger signing on separate servers, and demand the host’s name—trust in everyday tools takes a hit.

The internet’s favorite no-frills text editor, Notepad++, just dropped a bomb: hackers allegedly hijacked its update traffic via the hosting provider’s servers, selectively redirecting some users to bad downloads. Security experts say the culprits are likely state-backed—cue the comment section turning into a popcorn-fueled thriller. One camp is yelling, “Name the host!” and “Show the receipts,” while another’s pointing at supply-chain nightmares: tiny teams maintaining huge tools means one hit can ripple through entire companies. Meanwhile, conspiracy sleuths link it to Notepad++’s earlier “About Taiwan” post, suggesting politics may have painted a target.

The hosting provider’s letter reads like an episode of CSI: Patch Notes—compromise until early September, lingering credentials until December, and laser-focused traffic interception aimed at Notepad++. Some commenters say the statement “reads like a state actor wrote it,” stoking drama over tone and transparency. Security-minded folks wag fingers at update hygiene: sign everything, verify on different servers, and stop pushing critical updates from shared hosting like it’s a hobby blog. Jokes flew too—“Ctrl+C, Ctrl+Spy,” “Notepad++Gate,” and memes about editors becoming geopolitics. The community’s split: sympathize with the dev, roast the hosting, and demand a full postmortem—preferably yesterday.

Key Points

  • Attackers compromised the hosting provider’s infrastructure to intercept and redirect Notepad++ update traffic.
  • The compromise targeted certain users with malicious update manifests; Notepad++ code was not the entry point.
  • Activity began in June 2025; attackers likely linked to a Chinese state-sponsored group, per researchers.
  • Direct server access ended on September 2, 2025 after maintenance, but stolen credentials enabled redirection until December 2, 2025.
  • The hosting provider fixed vulnerabilities, rotated credentials, migrated clients, and found no ongoing compromise after December 2, 2025.

Hottest takes

“reads like it was written by a state actor” — johnsillings
“wide open attack surface on most tech companies” — jmole
“update signatures should be validated on a different server” — OsrsNeedsf2P

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.