this post was submitted on 02 Feb 2026
504 points (99.4% liked)

Technology

80267 readers
3420 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
504
Notepad++ Hijacked by State-Sponsored Hackers (notepad-plus-plus.org)
submitted 2 days ago by Beep@lemmus.org to c/technology@lemmy.world
84 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] MangoCats@feddit.it 1 points 17 hours ago (2 children)

Odds are you weren't on the "targeted list".

If you don't know, you're probably auto updating.

If you updated or installed in 2025 after June-ish, the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.

If you were pwned by an update during later 2025, they could disguise just about anything in your Notepad++ and its associated files - make it look perfectly normal, make it act perfectly normal, but have their own malware on your system doing... whatever it is they want it to do.

I understand one of the things they were doing is running a proxy to carry traffic through your system, so if you see a lot of unexpected network activity (under Windoze how can you tell?) you may have been compromised. But that's not the only thing they could have done, nobody has really analyzed the attack yet and even after they do, you might have gotten a "special" payload that the analysis team didn't see...

[–] floofloof@lemmy.ca 2 points 2 hours ago (1 children)

the safe thing to do is uninstall, then download from the new (theoretically more secure) website and install the new (theoretically more secure) 8.9.1.

That won't rescue your system if it is already compromised though. It will just prevent it from being newly compromised in this manner.

[–] MangoCats@feddit.it 2 points 2 hours ago* (last edited 2 hours ago)

True, but in this case it seems worth doing due to the relatively patient, selective nature of the attack - it would at least clean out a compromised Notepad++ if it had not spread to a wider system compromise yet.

[–] how_we_burned@lemmy.zip 2 points 6 hours ago

Unfortunately i do work for a targeted company (we do a lot of secret squirrel stuff) in south East Asia.

We get a lot of attacks.

I was looking at the attack and malware they inject (there is a blog post link on the notepad++ notice) which pointed out how the attack worked. Apparently they run a service called bluetoothservice.exe. I didn't see anything like that or any the other stuff they said gets created.

But then again finding malware isn't my bag so who knows.

Pretty sure my updates came via nanite installer so I'm hoping I wasn't targeted.