Ugrabitev posodobitve Notepad++: kaj šestmesečna kršitev uči o zaupanju v posodobitve

Notepad++ pravi, da je bil njegov posodobitveni promet leta 2025 več mesecev ugrabljen, napadalci pa so nekatere uporabnike prestrezali in selektivno preusmerjali na zlonamerno infrastrukturo. BleepingComputer poroča, da se je vdor začel junija 2025 in končal 2. decembra, potem ko je ponudnik gostovanja zaznal kršitev in prekinil dostop.

Incident je koristen opomnik, da »prenos prek HTTPS« ni popolna varnostna zgodba. Sistemi za posodabljanje potrebujejo močno, celovito preverjanje – saj je lahko ogrožena infrastruktura, ki ji zaupate.

Kaj so napadalci izkoristili

BleepingComputer opisuje vrzel v kontrolnikih za preverjanje posodobitev v starejših različicah Notepad++, ki napadalcem omogoča streženje spremenjenih manifestov posodobitev in preusmerjanje prenosov.

Kampanja je bila menda ozka in selektivna, kar je skladno z akterjem, ki mu je bolj mar za dostop do določenih ciljnih skupin kot za množično distribucijo.

Časovnica je pomembna:

Začetni kompromis junija 2025
Začasne motnje v začetku septembra po posodobitvah jedra/vdelane programske opreme
Nadaljnji dostop prek ukradenih internih poverilnic do 2. decembra

Ta korak »poverilnice so preživele sanacijo« je klasičen primer napake pri odzivanju na incidente: namestitev popravkov na strežnik ni dovolj, če ima napadalec že ključe.

Kaj se je Notepad++ spremenil po incidentu

BleepingComputer poroča, da je Notepad++ odjemalce preselil k novemu ponudniku gostovanja, zamenjal poverilnice in izboljšal preverjanje.

Od različice 8.8.9 naprej, WinGUP:

Preveri potrdila in podpise monterja
Uporablja kriptografsko podpisan XML za posodobitve

Projekt načrtuje tudi uvedbo obveznega preverjanja podpisa potrdila v različici 8.9.2.

To napredovanje – neobvezna preverjanja → močnejša preverjanja → obvezna preverjanja – je natanko to, kako naj bi se distribucija programske opreme sčasoma utrdila.

Zlonamerna programska oprema: Chrysalis in atribucija

BleepingComputer se sklicuje na raziskavo Rapid7, ki pripisuje povezano kampanjo kitajski APT skupini, znani kot Lotus Blossom (opisana tudi z drugimi vzdevki), in prilagojenemu zadnjemu vdoru Rapid7 z imenom »Chrysalis«.

Pri ciljno usmerjenih incidentih v dobavni verigi je koristni tovor pogosto prilagojen. Zato ključna obramba ni »zaznavanje te natančne zlonamerne programske opreme«, temveč »onemogočanje dostave kakršnega koli nepooblaščenega koristnega tovora prek programa za posodabljanje«.

Kaj bi morale organizacije storiti drugače

Če upravljate programsko opremo v poslovnem okolju, ta incident kaže na nekaj obrambnih napak:

Izogibajte se samodejnim posodobitvam za potrošnikena kritičnih sistemih, kjer je to mogoče.
Uporabite upravljano distribucijo programske opreme(podpisani paketi v internih repozitorijih, Intune/SCCM itd.).
Pripni in preveri podpiseza namestitvene programe in posodobitve.
Spremljajte »poti posodobitev«kot kritična infrastruktura: DNS, pravilniki inšpekcijskega pregleda TLS, vedenje posredniškega strežnika in verige izvajanja končnih točk.

Če ste individualni uporabnik, so praktični koraki preprostejši:

Posodobite na trenutno različico Notepad++ z uradne strani
Bodite sumničavi do pozivov k posodobitvi, ki niso videti kot običajni namestitveni program
Izogibajte se oglasom »prenesi zdaj« v rezultatih iskanja, ki posnemajo uradne strani

Bistvo

Šestmesečni napad na posodobitve Notepad++ ni bil posledica ene same napake – šlo je za meje zaupanja. Če lahko napadalec spremeni manifest ali so preverjanja podpisov šibka, »posodobitve« postanejo načrtovano oddaljeno izvajanje kode. Rešitev je celovito preverjanje, ki ga ni mogoče zaobiti, tudi če ponudnik gostovanja postane lastnik.

Viri

Document Title
Notepad++ update hijack: what the six-month breach teaches about updater trust	Ugrabitev posodobitve Notepad++: kaj šestmesečna kršitev uči o zaupanju v posodobitve

BleepingComputer reports Notepad++ update traffic was hijacked in 2025, with selective redirects to malicious servers and later attribution to a Chinese state-linked actor. Here’s what failed, what was fixed, and how orgs can harden software distribution.	BleepingComputer poroča, da je bil promet posodobitev Notepad++ ugrabljen leta 2025, s selektivnimi preusmeritvami na zlonamerne strežnike in kasnejšim pripisovanjem kitajskemu državnemu akterju. Tukaj je opisano, kaj ni uspelo, kaj je bilo popravljeno in kako lahko organizacije okrepijo distribucijo programske opreme.
Title Attribute
oEmbed (JSON)
oEmbed (XML)
JSON
View all posts by Admin	Oglejte si vse objave avtorja Admin
Microsoft says a Windows update bug can prevent shutdown—what’s affected and the workaround	Microsoft pravi, da lahko napaka v posodobitvi sistema Windows prepreči zaustavitev sistema – kaj je prizadeto in kako jo rešiti
The Arctic is getting louder and narwhals are getting quieter: why underwater noise matters	Arktika postaja glasnejša, narvali pa tišji: zakaj je podvodni hrup pomemben
Page Content
Notepad++ update hijack: what the six-month breach teaches about updater trust	Ugrabitev posodobitve Notepad++: kaj šestmesečna kršitev uči o zaupanju v posodobitve
Nature
Climate
/
Technology
/ By
Admin
Notepad++ says its update traffic was hijacked for months in 2025, with attackers intercepting and selectively redirecting some users to malicious infrastructure. BleepingComputer reports the compromise began in June 2025 and ended on December 2, after the hosting provider detected the breach and cut off access.	Notepad++ pravi, da je bil njegov posodobitveni promet leta 2025 več mesecev ugrabljen, napadalci pa so nekatere uporabnike prestrezali in selektivno preusmerjali na zlonamerno infrastrukturo. BleepingComputer poroča, da se je vdor začel junija 2025 in končal 2. decembra, potem ko je ponudnik gostovanja zaznal kršitev in prekinil dostop.
The incident is a useful reminder that “download over HTTPS” is not a complete security story. Update systems need strong, end-to-end verification—because the infrastructure you trust can be the thing that gets compromised.	Incident je koristen opomnik, da »prenos prek HTTPS« ni popolna varnostna zgodba. Sistemi za posodabljanje potrebujejo močno, celovito preverjanje – saj je lahko ogrožena infrastruktura, ki ji zaupate.
What the attackers exploited
BleepingComputer describes a gap in update verification controls in older Notepad++ versions, enabling attackers to serve tampered update manifests and redirect downloads.	BleepingComputer opisuje vrzel v kontrolnikih za preverjanje posodobitev v starejših različicah Notepad++, ki napadalcem omogoča streženje spremenjenih manifestov posodobitev in preusmerjanje prenosov.
The campaign was reportedly narrow and selective, consistent with an actor that cares more about access to specific targets than mass distribution.	Kampanja je bila menda ozka in selektivna, kar je skladno z akterjem, ki mu je bolj mar za dostop do določenih ciljnih skupin kot za množično distribucijo.
The timeline matters:
Initial compromise in June 2025
Temporary disruption in early September after kernel/firmware updates	Začasne motnje v začetku septembra po posodobitvah jedra/vdelane programske opreme
Continued access via stolen internal credentials until December 2	Nadaljnji dostop prek ukradenih internih poverilnic do 2. decembra
That “credentials survived remediation” step is a classic incident-response failure: patching the server isn’t enough if the attacker already has keys.	Ta korak »poverilnice so preživele sanacijo« je klasičen primer napake pri odzivanju na incidente: namestitev popravkov na strežnik ni dovolj, če ima napadalec že ključe.
What Notepad++ changed after the incident	Kaj se je Notepad++ spremenil po incidentu
BleepingComputer reports Notepad++ migrated clients to a new hosting provider, rotated credentials, and improved verification.	BleepingComputer poroča, da je Notepad++ odjemalce preselil k novemu ponudniku gostovanja, zamenjal poverilnice in izboljšal preverjanje.
Starting with version 8.8.9, WinGUP:	Od različice 8.8.9 naprej, WinGUP:
Verifies installer certificates and signatures	Preveri potrdila in podpise monterja
Uses cryptographically signed update XML	Uporablja kriptografsko podpisan XML za posodobitve
The project also plans to enforce mandatory certificate signature verification in version 8.9.2.	Projekt načrtuje tudi uvedbo obveznega preverjanja podpisa potrdila v različici 8.9.2.
That progression—optional checks → stronger checks → mandatory checks—is exactly how software distribution should harden over time.	To napredovanje – neobvezna preverjanja → močnejša preverjanja → obvezna preverjanja – je natanko to, kako naj bi se distribucija programske opreme sčasoma utrdila.
The malware angle: Chrysalis and attribution	Zlonamerna programska oprema: Chrysalis in atribucija
BleepingComputer references Rapid7 research attributing a related campaign to a Chinese APT group known as Lotus Blossom (also described with other aliases) and a custom backdoor Rapid7 named “Chrysalis.”	BleepingComputer se sklicuje na raziskavo Rapid7, ki pripisuje povezano kampanjo kitajski APT skupini, znani kot Lotus Blossom (opisana tudi z drugimi vzdevki), in prilagojenemu zadnjemu vdoru Rapid7 z imenom »Chrysalis«.
In targeted supply-chain incidents, the payload is often bespoke. That’s why the key defense is not “detect this exact malware,” but “make it hard to deliver any unauthorized payload through the updater.”	Pri ciljno usmerjenih incidentih v dobavni verigi je koristni tovor pogosto prilagojen. Zato ključna obramba ni »zaznavanje te natančne zlonamerne programske opreme«, temveč »onemogočanje dostave kakršnega koli nepooblaščenega koristnega tovora prek programa za posodabljanje«.
What organizations should do differently	Kaj bi morale organizacije storiti drugače
If you manage software in an enterprise environment, this incident points to a few defensive defaults:	Če upravljate programsko opremo v poslovnem okolju, ta incident kaže na nekaj obrambnih napak:
Avoid consumer auto-updaters	Izogibajte se samodejnim posodobitvam za potrošnike
on critical systems where possible.	na kritičnih sistemih, kjer je to mogoče.
Use managed software distribution	Uporabite upravljano distribucijo programske opreme
(signed packages in internal repos, Intune/SCCM, etc.).	(podpisani paketi v internih repozitorijih, Intune/SCCM itd.).
Pin and verify signatures
for installers and updates.	za namestitvene programe in posodobitve.
Monitor “update paths”	Spremljajte »poti posodobitev«
as critical infrastructure: DNS, TLS inspection policies, proxy behavior, and endpoint execution chains.	kot kritična infrastruktura: DNS, pravilniki inšpekcijskega pregleda TLS, vedenje posredniškega strežnika in verige izvajanja končnih točk.
If you’re an individual user, the practical steps are simpler:	Če ste individualni uporabnik, so praktični koraki preprostejši:
Update to a current Notepad++ version from the official site	Posodobite na trenutno različico Notepad++ z uradne strani
Be suspicious of update prompts that don’t look like the normal installer	Bodite sumničavi do pozivov k posodobitvi, ki niso videti kot običajni namestitveni program
Avoid “download now” ads in search results that mimic official pages	Izogibajte se oglasom »prenesi zdaj« v rezultatih iskanja, ki posnemajo uradne strani
Bottom line
Notepad++’s six-month update hijack wasn’t about a single bug—it was about trust boundaries. If an attacker can alter the manifest or the signature checks are weak, “updates” become remote code execution by design. The fix is end-to-end verification you can’t bypass, even when the hosting provider gets owned.	Šestmesečni napad na posodobitve Notepad++ ni bil posledica ene same napake – šlo je za meje zaupanja. Če lahko napadalec spremeni manifest ali so preverjanja podpisov šibka, »posodobitve« postanejo načrtovano oddaljeno izvajanje kode. Rešitev je celovito preverjanje, ki ga ni mogoče zaobiti, tudi če ponudnik gostovanja postane lastnik.
Sources
https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/	https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/	https://notepad-plus-plus.org/news/hijacked-incident-info-update/
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/	https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
←
Previous Post
Next Post
→
oEmbed (JSON)
oEmbed (XML)
JSON
View all posts by Admin	Oglejte si vse objave avtorja Admin
Microsoft says a Windows update bug can prevent shutdown—what’s affected and the workaround	Microsoft pravi, da lahko napaka v posodobitvi sistema Windows prepreči zaustavitev sistema – kaj je prizadeto in kako jo rešiti
The Arctic is getting louder and narwhals are getting quieter: why underwater noise matters	Arktika postaja glasnejša, narvali pa tišji: zakaj je podvodni hrup pomemben
BleepingComputer reports Notepad++ update traffic was hijacked in 2025, with selective redirects to malicious servers and later attribution to a Chinese state-linked actor. Here’s what failed, what was fixed, and how orgs can harden software distribution.	BleepingComputer poroča, da je bil promet posodobitev Notepad++ ugrabljen leta 2025, s selektivnimi preusmeritvami na zlonamerne strežnike in kasnejšim pripisovanjem kitajskemu državnemu akterju. Tukaj je opisano, kaj ni uspelo, kaj je bilo popravljeno in kako lahko organizacije okrepijo distribucijo programske opreme.

Document Title

Notepad++ update hijack: what the six-month breach teaches about updater trust

BleepingComputer reports Notepad++ update traffic was hijacked in 2025, with selective redirects to malicious servers and later attribution to a Chinese state-linked actor. Here’s what failed, what was fixed, and how orgs can harden software distribution.

Title Attribute

oEmbed (JSON)

oEmbed (XML)

JSON

View all posts by Admin

Microsoft says a Windows update bug can prevent shutdown—what’s affected and the workaround

The Arctic is getting louder and narwhals are getting quieter: why underwater noise matters

Page Content

Notepad++ update hijack: what the six-month breach teaches about updater trust

Nature

Climate

Technology

/ By

Admin

Notepad++ says its update traffic was hijacked for months in 2025, with attackers intercepting and selectively redirecting some users to malicious infrastructure. BleepingComputer reports the compromise began in June 2025 and ended on December 2, after the hosting provider detected the breach and cut off access.

The incident is a useful reminder that “download over HTTPS” is not a complete security story. Update systems need strong, end-to-end verification—because the infrastructure you trust can be the thing that gets compromised.

What the attackers exploited

BleepingComputer describes a gap in update verification controls in older Notepad++ versions, enabling attackers to serve tampered update manifests and redirect downloads.

The campaign was reportedly narrow and selective, consistent with an actor that cares more about access to specific targets than mass distribution.

The timeline matters:

Initial compromise in June 2025

Temporary disruption in early September after kernel/firmware updates

Continued access via stolen internal credentials until December 2

That “credentials survived remediation” step is a classic incident-response failure: patching the server isn’t enough if the attacker already has keys.

What Notepad++ changed after the incident

BleepingComputer reports Notepad++ migrated clients to a new hosting provider, rotated credentials, and improved verification.

Starting with version 8.8.9, WinGUP:

Verifies installer certificates and signatures

Uses cryptographically signed update XML

The project also plans to enforce mandatory certificate signature verification in version 8.9.2.

That progression—optional checks → stronger checks → mandatory checks—is exactly how software distribution should harden over time.

The malware angle: Chrysalis and attribution

BleepingComputer references Rapid7 research attributing a related campaign to a Chinese APT group known as Lotus Blossom (also described with other aliases) and a custom backdoor Rapid7 named “Chrysalis.”

In targeted supply-chain incidents, the payload is often bespoke. That’s why the key defense is not “detect this exact malware,” but “make it hard to deliver any unauthorized payload through the updater.”

What organizations should do differently

If you manage software in an enterprise environment, this incident points to a few defensive defaults:

Avoid consumer auto-updaters

on critical systems where possible.

Use managed software distribution

(signed packages in internal repos, Intune/SCCM, etc.).

Pin and verify signatures

for installers and updates.

Monitor “update paths”

as critical infrastructure: DNS, TLS inspection policies, proxy behavior, and endpoint execution chains.

If you’re an individual user, the practical steps are simpler:

Update to a current Notepad++ version from the official site

Be suspicious of update prompts that don’t look like the normal installer

Avoid “download now” ads in search results that mimic official pages

Bottom line

Notepad++’s six-month update hijack wasn’t about a single bug—it was about trust boundaries. If an attacker can alter the manifest or the signature checks are weak, “updates” become remote code execution by design. The fix is end-to-end verification you can’t bypass, even when the hosting provider gets owned.

Sources

https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

←

→

oEmbed (JSON)

oEmbed (XML)

JSON

View all posts by Admin

Microsoft says a Windows update bug can prevent shutdown—what’s affected and the workaround

The Arctic is getting louder and narwhals are getting quieter: why underwater noise matters

Document Title
Page not found - Florin.blog	Strani ni bilo mogoče najti - Florin.blog
Image Alt
Florin.blog
Title Attribute
Florin.blog » Feed
RSD
Skip to content
Placeholder Attribute
Search...
Page Content
Page not found - Florin.blog	Strani ni bilo mogoče najti - Florin.blog
Skip to content
Home
Blog
Garden Decor
Indoor
Main Menu
This page doesn't seem to exist.	Zdi se, da ta stran ne obstaja.
It looks like the link pointing here was faulty. Maybe try searching?	Zdi se, da je bila povezava, ki je vodila sem, napačna. Morda poskusite z iskanjem?
Search for:
Search
Quick Links
Outdoors
About
Contact
Explore
Bestsellers
Hot deals
Best of The Year
Featured
Gift Cards
Help
Privacy Policy
Disclaimer
: As an Amazon Associate, we earn from qualifying purchases — at no extra cost to you.	Kot Amazon Associate zaslužimo s kvalificiranimi nakupi – brez dodatnih stroškov za vas.
Florin.blog
Florin.blog » Feed
RSD
Search...

Document Title

Page not found - Florin.blog

Image Alt

Florin.blog

Title Attribute

Florin.blog » Feed

RSD

Placeholder Attribute

Search...

Page Content

Page not found - Florin.blog

Home

Blog

Garden Decor

Indoor

Main Menu

This page doesn't seem to exist.

It looks like the link pointing here was faulty. Maybe try searching?

Search for:

Quick Links

Outdoors

About

Contact

Explore

Bestsellers

Hot deals

Best of The Year

Featured

Gift Cards

Help

Disclaimer

: As an Amazon Associate, we earn from qualifying purchases — at no extra cost to you.

Florin.blog

Florin.blog » Feed

RSD

Search...