zlacker

[parent] [thread] 9 comments
1. daemon+(OP)[view] [source] 2026-02-02 03:00:04
So what mitigations should the end user be doing? How do we know if anything compromised?
replies(3): >>averev+o1 >>kijin+t2 >>userna+x6
2. averev+o1[view] [source] 2026-02-02 03:11:06
>>daemon+(OP)
Right the writeup doesn't mention when it started and what versions are affected
replies(2): >>hug+C1 >>freita+06
◧◩
3. hug+C1[view] [source] [discussion] 2026-02-02 03:13:30
>>averev+o1
> Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.

FTA.

4. kijin+t2[view] [source] 2026-02-02 03:22:11
>>daemon+(OP)
Download the latest version and install that, instead of using the auto update feature of an old version that might not properly check signatures.

As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.

◧◩
5. freita+06[view] [source] [discussion] 2026-02-02 04:06:11
>>averev+o1
The writeup says it right there:

"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."

replies(1): >>avazhi+dM
6. userna+x6[view] [source] 2026-02-02 04:12:01
>>daemon+(OP)
Disable auto-updates, just like you should with every piece of software on your machine. This was the result of letting other people silently replace your programs. Don't allow that.
replies(1): >>bibims+97
◧◩
7. bibims+97[view] [source] [discussion] 2026-02-02 04:17:35
>>userna+x6
that's why I still run Windows XP. Automatic updates are dangerous!
replies(2): >>userna+08 >>pxc+wh1
◧◩◪
8. userna+08[view] [source] [discussion] 2026-02-02 04:28:43
>>bibims+97
How's Windows 11 treating you, my man?
◧◩◪
9. avazhi+dM[view] [source] [discussion] 2026-02-02 11:45:38
>>freita+06
Yeah, that refers to the MITM attack on the update server. We have no fucking clue what they actually did while they were in the middle - whatever exploit code was running may very well be running right now on compromised machines. Nobody knows what the compromised exes actually did.

Thanks for your nonanswer, though. It was about as unhelpful and unspecific as the original blogpost for this.

◧◩◪
10. pxc+wh1[view] [source] [discussion] 2026-02-02 15:07:11
>>bibims+97
Centralized automatic updates, like those of a Linux distribution or Microsoft's Windows Updates, involve giving permission to way fewer parties permission to download and run (unsigned, in the case of Notepad++ this time) code on your machine with high privileges.

And for more modern software distribution mechanisms (e.g., Nix, Guix, Flatpak), centralized package updates may not actually run any vendor code with high privileges at all.

The norm for proprietary software updates on Windows is indeed a free-for-all of every publisher downloading and running code with admin rights, and it is indeed a terrible way to operate. Avoiding that kind of madness doesn't necessarily mean running lots of old, vulnerable software.

[go to top]