How do they know it was a Chinese group or even a state sponsored?
When I see politics in software updates or documentation, nothing happens because I'm not looking to use the software for political activism. Maybe I tell my adblocker to remove the messaging, and carry on with my task.
I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
I almost always see activists using the argument that if I don't like the messaging then I'm part of the problem. Somehow I doubt that, given I don't mind messaging at all, where it's appropriate.
I see this as a bad analogy though: you wouldn't hear about it every time you go to the grocery store. Or, at the very least, you wouldn't stop and listen for the fifth time. You already know, and that's the point: the intention of most activism in technology (at least that I see) is to make you initially aware of it so you start to seek the information out and learn more elsewhere. (...And to give themselves good PR. We love rainbow capitalism /s)
Instagram and Twitter both get your attention during election season because they want you to be informed about how to vote. To me, that's a similar thing.
I considered the majority of the population to be affected by repeated messaging, messages in the background, or in other words availability bias. So the messaging be having the desired effect on society in general but not on some subset who filter it out completely.
Something similar, significantly different though, happen to a friend. They started distrusting the incogni.com after seeing their advertisements over and over again. To them they saw/felt/reasoned that only an untrustworthy actor would be pushing the messaging so much and a trustworthy actor would rely more on word of mouth via their good product inspiring people to speak up about them. I had to point out that they probably saw much more of incogni's advertising due to their rate and type of media consumption and most people probably do not get that level of exposure. If incogni lowered their advertisements to hit them correctly it would not be nearly enough advertising to reach the average consumer.
I see the frustration at the repeated messaging to likely be a natural protective mechanism. Instinctively reject repeated messages is not necessarily a bad instinct since manipulative people will use repeated messaging to manipulate, but repeated message exposure does not only happen due to an attempt to manipulate.
I don't want to either, and indeed I really want others to do it for me. As such, I really want to see even MORE political stuff like this to hopefully create folks who will actually protest and put their neck on the line.
Similar reason why US military propaganda is good. I never EVER want to be drafted and indeed if you put a gun in my hand and military fatigues on me, I will die with a shot in the ass (because I am running away). Thankfully, we have a bunch of hardened 20-somethings "manipulated" into joining the military and protecting us so that I can be lazy.
So please ratchet up the politics and get others out so I don't have to. It's not that hard to ignore yet another plea for help. We do it every hour of every day.
I do not think it is uncommon for someone to do this, then see the side they oppose win more in elections, public perception, etc then decide to engage more and that is "why is there political messaging literally everywhere".
Since we can't remove it, the next best alternative is to participate and advocate for responsible political engagement. I think until we have some shared understanding of what responsible political engagement is we will continue to have it everywhere.
Edit: I’ll also add that political messaging is highly contextual. What is appropriate and effective in one place may be counterproductive or actively harmful elsewhere. Format and tone actually matter if you care about your pet cause succeeding, believe it or not.
So, while I fully agree with your stance that banning political discourse is support for the status quo, I also think that it's reasonable to ask for it to be toned down a bit, especially when the politics and social issues of one country is basically drowning out everything else.
All that said, I'm talking mostly about HN or other community forums here. The owner of Notepad++ has the right to put whatever they want into their software, and if we're discussing that here on HN then it's an occasion where discussing politics is valid.
Political opinions about how things should be don't automatically dictate the actions that should be taken in support of those opinions. I can be mad about a law or a court decision and still have the good sense to, for example, not throw red paint on a lawmaker or judge.
Some behaviors just aren't helpful, and neither being right nor being upset changes that.
As problematic as the assertion "by definition" is aside, it should be noted that endlessly commenting about politics on internet forums effectively changes nothing.
I've been kettled by mounted officers and hit by high pressure hoses on cold evenings, something that also rarely effects change .. but that's a least a fun night out with people and better than wasting bits on the intertubes.
Notepad++ is free, open source software for which there are dozens of alternative packages of equivalent quality. The entire cost of using this software and benefiting from the work of the developer, is having to scroll past or close a few political opinions.
If the reaction, if someone vehemently dislikes this sort of thing, is to tell that developer to "just shut up and make your software" rather than to stop using that software? Then I think that's possibly the most entitled and hypocritical position that I think it's possible to have.
The politicisation of software is as harmful as requiring every research paper to be published with a political allegiance banner.
Software like most Sciences, Engineering, and, Trade is a much longer game for humanity than politics de jour.
It is easy to forget the extent of contributions from all sides of politics that has contributed to this trade, from Mohammed Algorithm to English, Russian, Chinese, and, everyone else to computing; but forgetting that and forging that for quick political hack points is a disservice to humanity.
Not really, software, like sciences and engineering must survive politics first. If humans start tossing around nukes like angry apes then those that survive may be scratching simple arithmetic with a charcoal stick on a cave wall.
Additionally, it is based on a false notion that political banners in software helps in pursuing anyone let alone change political outcomes.
Before I respond to your comment, allow me first to acknowledge the following injustices happening in the world:
* war in gaza
* war in ukraine
* civil war in sudan
* civil war in yemen
* civil war in myanmar
* ethnic violence in syria
* insurgent attacks in nigeria
* insurgent attacks in congo
* attacks on protesters in Iran
...
Wait, what's that? You don't want every comment to start with some sort of land acknowledgement-esque disclaimer of all injustices happening in the world? What are you, some sort of gaza war/ukraine war/sudanese civil war/ ... sympathizer? Tens, if not hundreds of millions have been affected by the event listed above, so at the very least you can spare a thought for them before discussing about some text editor getting compromised? You might argue acknowledging the war in gaza is beating a dead horse, but do you think the median HN reader has thought about the civil war in myanmar in the past month?
In the context of forums, the political threads are generally /not interesting/[0]. Political threads often devolve; they bring nothing 'new' or 'fresh' to the table, and they lead absolutely no where. It's a fart-in-the-wind situation no matter what your position is. Leave that stuff on reddit where the rest of the farts-in-the-wind go to waste. It's like watching commentators on Fox News or CNN or <insert favorite cable TV show here>. They're a large waste of time and they're often geared towards re-enforcing your side, aka echo chamber.
Now, if a thread actually evolved into real measurable action, that might actually be interesting. But that's not what happens on these forums. There's probably very few of us that see some HN thread talking about something awful happening somewhere and they take direct action, such as petitioning their government, protesting, etc. It's probably happened once or twice, but most of the farts in those threads just hang around and stink up the place.
Please stop stinking up HN.
Your comment is a good example of it; who is dictator? The people who hacked the software or the political pole they support? At what point did they become fascist enough to warrant politicalisation of everything ?
We are all Schmittian now
http://iccf-holland.org/ http://www.vim.org/iccf/ http://www.iccf.nl/
You can also sponsor the development of Vim. Vim sponsors can vote for features. See |sponsor|. The money goes to Uganda anyway.
I would argue that this has been an effective avenue for messaging/protest. You’re responding to it on this very board - that means you’re thinking about it.
Another angle: would such free protest be allowed if the developers of Notepad++ were based in China or Russia? I seriously doubt it.
He who politicizes everything politicizes nothing.
- US arguing for independence of any of the States for whatever reasons?
- Spain for Catalonia?
- France for Basque?
and many more just in Europe.
https://en.wikipedia.org/wiki/List_of_active_separatist_move...
> Yeah, Notepad++ is known for political messaging in their updates. Taiwan, Ukraine, etc.
If you’re calling Ukraine in particular a “separatist movement”, I don’t think we can have a productive conversation.
I think about a lot of things I do absolutely nothing about (or with).
Thinking about whatever messaging is here is like saying "thoughts and prayers". It means shit all nothing. The messaging was a waste of my time and your time. It was an ad for a product you'll never purchase.
I don’t think I am the only one who has this reaction. People who do this should consider if it’s actually helping their cause. If not it’s just feelgood signaling, or possibly even counterproductive.
Freedom of speech is political.
The right to privacy is political.
Letting people on to the Internet without censorship is political.
Government policies that support startups are political.
Threatening to arrest teens for pirating mp3s is political.
> I can engage with politics in a social context, when political messaging isn't interrupting something else I'm doing; that's a better place for activism, IMHO.
For the people actually impacted by politics, reality rarely waits for a convenient time to interrupt.
Political reality tends to knock down doors and blow up buildings when it wants to really get someone's attention. "Don't bother me during my software updates" is a privileged position to be able to take.
Being political isn’t a hobby you attend on Tuesdays, it’s real decision that affect people’s lives every single day, sometimes with deadly consequences.
I distinctly remember their GH page being flooded with issues written in Chinese.
My opinion is that open source documentation is like polite dinner conversation: It’s not the proper place to discuss politics.
If an author wishes to use their open source project as a platform to discuss politics, that’s the author’s prerogative. But then, as perhaps in this instance, it could be to the detriment of the project itself.
e.g. iTerm, Cyberduck, editors of all shades, various VSCode extensions, etc.
It really doesn’t compute in my head why would any macOS user not use a network firewall like this, or similar, to block unwanted outgoing HTTP(s) requests. You can easily inspect the packet with tools like Wireshark or Burp Suite Professional (or Community) edition, or any other proxy tool, of which there are many in the macOS ecosystem.
And this is not unique to macOS, this is all possible in Windows, Linux and any other OS.
The state of the world is such that I have started running everything inside VMs. Baseline OS install + virtual machine management and that is it. Which is still not immune, but makes me feel a lot better than core OS utilities are probably getting better vetting than nifty-utility-123 on which I depend.
Source. I work for a company for longer than the internet has been alive.
We also need better computer science education in high schools, teaching students how to inspect network packets, verify SSL certificates, and evaluate whether a binary blob might contain malicious code.
People have gotten complacent about the internet, which is why they still get hacked, when it should be the other way around. With everything we’ve learned over the years, why are breaches more common than ever? I don’t understand why people are so careless about online security today, compared to decades ago when we were taught not to share personal information and not to trust anything on the internet.
This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected
No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.
I expect to know it one day, but it may be too early to provide the name now.
There are more steps you can take to ensure greater safety. The above is the minimum a I do for myself and what the minimum IT department and my company executes.
I subscribe to MacPaw, who makes excellent apps like Setapp, Gemini, and CleanMyMac, all of which I use.
At some point, CleanMyMac started putting the Ukranian flag on the app icon and flagging utilities by any Russian developer as untrustworthy (because they are russian), and recommended that I uninstall them.
I am not pro russia/anti-ukraine independence by any means, but CleanMyMac is one of those apps that require elevated system permissions. Seeing them engage in software maccarythism makes me very, very hesitant to provide them.
I suppose, though that's not really how I tend to see it phrased on socials or in the media.
That is a very controversial statement, and one that both Taipei and Beijing disagree with.
The Taiwanese government has never formally declared itself independent from the mainland. Such a declaration would likely cause the PRC to invade.
Please refer to it for context.
Fuck'em and just donate ten bucks to notepad++ , I'd rather my pc breaks then reward this crap
American and European infrastructure is subject to cyber attacks that that are effectively hostile military acts already. I don't think a vocal stance on Ukraine and an exclusion of Russian developers deserves the rhetoric of McCarthyism or being 'too political' as is these days a fashionable accusation. This is no red scare, this is speaking up for people bombed on a daily basis.
I'm sure it felt very real at the time.
Since there are a lot of both Ukrainian and Russian software developers, this is personal for a lot of people in the industry.
I mean for such a dev focused and extremely performant app, that’s disappointing.
Glad I’m off windows as of late
Something doesn't seem right here.
Something of Notepad++ size might think about it now
They go on about how their server was compromised, and how the big bad Chinese were definitely behind it, and then claim the "situation has been fully resolved", but there is zero mention of any investigation into what was actually done by the attackers. Why? If I downloaded an installer during the time they were hacked, do I have malware now?
The utter lack of any such information feels bizarre.
> 2. Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.
FTA.
"The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated."
As for whether anything else has been compromised, it depends on whether you were targeted. And the payload might have been tailored to each target, so there's no way to know unless you have access to the exact binary. Unfortunately, binaries downloaded through the auto update feature tend not to linger in your Downloads folder.
I'd be curious to know if there was any pattern as to which users were targeted, but the post doesn't go into any further detail except to say it was likely a Chinese state-sponsored group.
When I forked Audacity, within less than 48h my life turned to absolute shit. Defamation campaigns, people trying to kill me, people killing my friends, people stalking me with Austrian and Swiss license plates etc. When I investigated it further, it turns out I stumbled upon the FSB/SVR branch of the former Mirai botnet, who used Audacity to spread into larger networks.
If the Notepad++ devs see this, please check your opsec and the opsec of your loved ones.
Stay safe, and don't underestimate the Chinese Ministry of Security! They're operating in the EU, too.
PS: If you need help with this, contact me.
There's no way to prove or disprove it, therefore replying to your comment is pointless. If you think someone stays dead-silent for 5 years and that this is schizophrenic behavior, you are way too easily gullible. Either way, your comment was done with malicious intent.
thisislife2•2h ago
N_Lens•1h ago
dgrin91•1h ago
digdigdag•1h ago
hsbauauvhabzb•1h ago
mapontosevenths•1h ago
https://www.heise.de/en/news/Notepad-updater-installed-malwa...
https://doublepulsar.com/small-numbers-of-notepad-users-repo...
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
metalcrow•1h ago
tgsovlerkhgsel•54m ago
> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“
It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.
kevin_thibedeau•27m ago
idiotsecant•59m ago
PixyMisa•40m ago