Suspected Chinese state-backed hackers compromised the update infrastructure of Notepad++, a popular text editor for Windows, for six months. The attackers redirected update traffic to deliver backdoored versions of the app to specific targets. The incident, which began last June, allowed the hackers to install a sophisticated and permanent backdoor named Chrysalis.
The author of Notepad++ acknowledged the hijacking and indicated that control was regained in December. Security firm Rapid 7 described the backdoor as a ‘custom, feature-rich’ tool, highlighting its advanced capabilities. Despite efforts to fix vulnerabilities, the attackers maintained access until December, exploiting insufficient update verification controls in older Notepad++ versions.
Incident responders discovered the compromise persisted until September, with the threat actors retaining credentials to internal services. The hackers targeted the Notepad++ domain specifically, attempting to re-exploit weaknesses even after fixes were implemented.
This breach underscores the importance of robust security measures in software update mechanisms, as even widely-used applications like Notepad++ are susceptible to sophisticated attacks.
Source: WIRED