Notepad++ publishes a blog post saying they caught a probably-Chinese state actor hijacking their product in an attack against highly-selective targets that began last June: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Discussion
Loading...
In the pages linked article at
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ the mention of "undocumented system calls" in Microsoft Windows should serve as a warning not to use Windows at all, as it clearly can't be trusted. The cited name of one of those calls ("NtQuerySystemInformation") amused me by evoking memories of using Windows NT circa 1996.
Apparently Microsoft hasn't been adequately compelled to improve its products in the last 30 years.
I learned a new term of art: "indicator of compromise" (IoC).
(Computer forensics is outside my area of expertise.)
@evacide this sort of thing has been on the rise for years, the hosting company should be publicized to reduce the incentive to side with bad actors
@evacide I love notepad++ it's my go to ide
https://apps.kde.org/kate/
https://kate-editor.org/
Even has a windows version.
@evacide What we need to do comes at the end:
"I deeply apologize to all users affected by this hijacking. I recommand downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually."
@evacide It's ironic that my company blocks anything with that domain in it. Including the SMB share we're supposed to download it from...
In this case, I'm a sysadmin and won't be able to read and react to this because IT has it blocked.
These are the same people who allow access to the Daily Mail, but not The Guardian...
@evacide I vaguely remember reading about an attack like this on notepad++ many years ago. What a pain to be the target of this stuff!
