Notepad++ updater was compromised for 6 months in supply-chain attack

The update infrastructure for Notepad++, a popular Windows text editor, has been under attack for a staggering six months, allegedly by hackers linked to the Chinese government. This breach enabled the attackers to deliver modified versions of the application to select users, raising serious concerns about supply chain security. In a statement released on the official Notepad++ website, the project's author expressed deep regret for the incident, which started in June. The compromise allowed malicious actors to intercept update traffic intended for notepad-plus-plus.org, redirecting it to malicious servers designed to deliver backdoored updates. Notepad++ regained control of its update mechanism only in December, following consultations with incident response teams. It was discovered that the update infrastructure remained compromised until September 2, with attackers retaining access to internal services until December 2, allowing them continued manipulation of update traffic. The threat actors specifically targeted Notepad++ to exploit weaknesses in older versions' update verification processes. Investigations revealed that the hackers attempted to reinvade a recently patched vulnerability, although this effort was unsuccessful. Independent cybersecurity researcher Kevin Beaumont reported that three organizations, all with interests in East Asia, encountered security incidents linked to Notepad++ installations. These incidents allowed the attackers to gain direct control over the affected devices through a web interface. The situation drew greater scrutiny following the release of Notepad++ version 8.8.8.8 in mid-November, which included critical updates to strengthen the updater’s security against potential hijacking attempts. This version introduced significant changes to the custom updater, known as GUP or WinGUP, aimed at enhancing its resilience against such attacks.