The WinGUp updater compromise is a textbook example of why update mechanisms are such high-value targets. Attackers get code execution on machines that specifically trust the update channel.What&#x27;s concerning is the 6-month window. Supply chain attacks are difficult to detect because the malicious code runs with full user permissions from a &quot;trusted&quot; source. Most endpoint protection isn&#x27;t designed to flag software from a legitimate publisher&#x27;s update infrastructure.For organizations, this argues for staged rollouts and network monitoring for unexpected outbound connections from common applications. For individuals, package managers with cryptographic verification at least add another barrier - though obviously not bulletproof either.

I think we could get a lot further if we implement proper capability based security. Meaning that the authority to perform actions follows the objects around. I think that is how we get powerful tools and freedom, but still address the security issues and actually achieve the principle of least privilege.For FreeBSD there is capsicum, but it seems a bit inflexible to me. Would love to see more experiments on Linux and the BSDs for this.

It also has persistent permissions.Think about it from a real world perspective.I knock on your door. 
You invite me to sit with you in your living room. 
I can&#x27;t easily sneak into your bed room. Further, your temporary access ends as soon as you exit my house.The same should happen with apps.When I run &#x27;notepad dir1&#x2F;file1.txt&#x27;, the package should not sneakily be able to access dir2. Further, as soon as I exit the process, the permission to access dir1 should end as well.

Sand-boxing such as in Snap and Flatpak?

&gt; getting a lot of slack recentlyI think you mean a lot of flak? Slack would kind of be the opposite.

I&#x27;m sure that will contribute to the illusion of security, but in reality the system is thoroughly backdoored on every level from the CPU on up, and everyone knows it.There is no such thing as computer security, in general, at this point in history.

MacOS has been getting a lot of flak recently for (correct) UI reasons, but I honestly feel like they&#x27;re the closest to the money with granular app permissions.Linux people are very resistant to this, but the future is going to be sandboxed iOS style apps. Not because OS vendors want to control what apps do, but because users do. If the FOSS community continues to ignore proper security sandboxing and distribution of end user applications, then it will just end up entirely centralised in one of the big tech companies, as it already is on iOS and macOS by Apple.

I&#x27;ve been arguing for this for years. There&#x27;s no reason every random binary should have unfettered, invisible access to everything on my computer as if it were me.iOS and Android both implement these security policies correctly. Why can&#x27;t desktop operating systems?

I almost feel like this should just be the default action for all applications. I don&#x27;t need them to escape out of a defined root. It&#x27;s almost like your documents and application are effectively locked together. You have to give permissions for an app to extra data from outside of the sandbox.Linux has this capability, of course. And it seems like MacOS prompts me a lot for &quot;such and such application wants to access this or that&quot;. But I think it could be a lot more fine-grained, personally.

I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I&#x27;m running that tool in.There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.

So if one were theoretically infected right now, would a Malwarebytes scan indicate as such?

Jeez, they didn&#x27;t waste any time, did they? No more signing certificate in June, compromise in July

<a href="https:&#x2F;&#x2F;notepad-plus-plus.org&#x2F;news&#x2F;8.8.2-available-in-1-week-without-certificate&#x2F;" rel="nofollow">https:&#x2F;&#x2F;notepad-plus-plus.org&#x2F;news&#x2F;8.8.2-available-in-1-week...</a>

The updater doesn&#x27;t check the certificate of the updated installer, it just executes whatever.

I&#x27;m out of the loop: How did they bypass Notepad++&#x27;s digital signatures? I just downloaded it to double-check, and the installer is signed with a valid code-signing certificate.

Is there a &quot;detect infection and clean it up&quot; app from a reputable source yet (beyond the &quot;version 8.8.8 is bad&quot; designator)?

The easiest way to action as a user seems like it would be to use local package managers that includes something like Dependabot&#x27;s cooldown config. I&#x27;m not aware of any local package managers that do something like this?<a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;code-security&#x2F;reference&#x2F;supply-chain-security&#x2F;dependabot-options-reference#cooldown-" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;code-security&#x2F;reference&#x2F;supply-ch...</a>

You basically need to make a trade-off between 0days and supply chain attacks. Browsers, office suite, media players, archivers, and other programs that are connected to the internet and are handling complex file formats? Update regularly, or at least keep an eye out for CVEs. A text editor, or any other program that doesn&#x27;t deal with risky data? You&#x27;re probably fine with auto update turned off

&gt;Using notepad++ (or whatever other program) in a manner that deals with internet content a lot - then updating is the thing.Disagree. It&#x27;s hard to screw up a text editor so much that you have buffer overflows 10 years after it&#x27;s released, so it&#x27;s probably safe. It&#x27;s not impossible, but based on a quick search (though incomplete because google is filled with articles describing this incident) it doesn&#x27;t look like there were any vulnerabilities that could be exploited by arbitrary input files. The most was some dubious vulnerability around being able to plant plugins.

I imagine that it depends on the use case.Using notepad++ (or whatever other program) in a manner that deals with internet content a lot - then updating is the thing.Using these tools in a trusted space (local files&#x2F;network only) : then don&#x27;t update unless it needs to be different to do what you want.For many people, something in between because new files&#x2F;network-tech comes and goes from the internet. So, update occasionally...

In the early days, updates quite often made systems less stable, by a demonstrable margin. My dad once turned off all updates on his Windows machine, with the ensuing peril that you can imagine.Sadly, it feels like Microsoft updates lately have trended back towards being unreliable and even user hostile. It&#x27;s messed up if you update and can&#x27;t boot your machine afterwards, but here we are. People are going to turn off automatic updates again.

Supply chain attacks have impact on more systems, so it&#x27;s more likely that your system is one of it. Opening a poisoned textfile that contains a exploit that attacks your text editor and fits exactly to your version is a rare event compared to automatically contacting a server to ask for a executable to execute without asking you.

I feel like supply chain attacks are the much rarer situation than real world exploits but I don’t have numbers.

Unless there&#x27;s an announcement of a zero day, update a month after each new release. Keeps you on a recent version while giving security systems and researchers time to detect threats.

As long as you do regulary updates of your debian stable, you are not secured against supply chain attacks.

Debian stable. If you need something to be on the bleeding edge install it from backports or build from source. But keep most of your system boring and stable. It has worked fine for me for years.

It now seems to be best practice to simultaneously keep things updated (to avoid newly discovered vulnerabilities), but also not update them too much (to avoid supply chain attacks). Honestly not sure how I&#x27;m meant to action those at the same time.

&gt;I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info?You don&#x27;t need 0days when you already have RCE on an unsandboxed system.

it&#x27;s not &quot;just to get that data&quot;, it&#x27;s to confirm level of access, check for potential other exploiters or security software, identify the machine you have access to, identify what the machine has network connectivity to, etc. The attacker then maintains the c2 channel and can then perform their actual objective with the help of the data they have obtained.

&gt; cmd &#x2F;c &quot;whoami&amp;&amp;tasklist&amp;&amp;systeminfo&amp;&amp;netstat -ano&quot; &gt; a.txtNaive question, but isn&#x27;t this relatively safe information to expose for this level of attack? I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info? Still, that seems like a lot of effort just to get this data.

You would be a dumbass to do that, because virustotal allows security researchers to see submitted samples&#x2F;urls. The last thing you want to do is to draw attention to your C&amp;C server.

&gt; Notably, the first scan of this URL on the VirusTotal platform occurred in late September, by a user from Taiwan.Could this be the attacker? The scan happened before the hack was first exposed on the forum.

I guess package managers win in the end. I got two emails from my IT department in the last year telling me to immediately update it.

I noticed I had version 8.9 on Dec 28, 2025 and it seems clean according to<a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2026&#x2F;02&#x2F;notepad-updater-was-compromised-for-6-months-in-supply-chain-attack&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2026&#x2F;02&#x2F;notepad-updater-was...</a>I recommend removing notepad++ and installing via winget which installs the EXE directly without the winGUP updater service.Here&#x27;s an AI summary explaining who is affected.Affected Versions: All versions of Notepad++ released prior to version 8.8.9 are considered potentially affected if an update was initiated during the compromise window.Compromise Window: Between June 2025 and December 2, 2025.Specific Risk: Users running older versions that utilized the WinGUp update tool were vulnerable to being redirected to malicious servers. These servers delivered trojanized installers containing a custom backdoor dubbed Chrysalis.

This might be a better link: <a href="https:&#x2F;&#x2F;survey.stackoverflow.co&#x2F;2025&#x2F;technology#1-dev-id-es" rel="nofollow">https:&#x2F;&#x2F;survey.stackoverflow.co&#x2F;2025&#x2F;technology#1-dev-id-es</a>It&#x27;s listed as the third most popular IDE after Visual Studio Code and Visual Studio by respondents to Stack Overflow&#x27;s annual survey. Interestingly, it&#x27;s higher among professionals than learners. Maybe that&#x27;s because learners are going to be using some of those newer AI-adjacent editors, or because learners are less likely to be using Windows at all.I&#x27;m sure people will leap to the defense of their chosen text editor, like they always do. &quot;Oh, they separated vim and Neovim! Those are basically the same! I can combine those, really, to get a better score!&quot; But I think a better takeaway is that it&#x27;s incredible that Notepad++, an open source application exclusive to Windows that has had, basically, a single developer over the course of 22 years, has managed to reach such a widespread audience. Especially when Scintilla&#x27;s other related editors (SciTE, EditPlus) essentially don&#x27;t rate.

Literally yes: <a href="https:&#x2F;&#x2F;survey.stackoverflow.co&#x2F;2025&#x2F;" rel="nofollow">https:&#x2F;&#x2F;survey.stackoverflow.co&#x2F;2025&#x2F;</a>

I enjoy coding something new up in Notepad++, without any annoying autocomplete and jank. I call it unplugged (acoustic?) mode. Jeepers Visual Studio these days starts autocompleting if and while for example and sometimes doesn&#x27;t respect normal keystrokes because it expects me to complete these kind of interactions instead.

Same, but additionally Irfanview. And once upon a time, Media Player Classic used to be on that list.This train of thought made me go find <a href="https:&#x2F;&#x2F;www.oldversion.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.oldversion.com&#x2F;</a>. For a while, that was invaluable.

Yes, but I start with the browser.
What are the Notepad++ alternatives on Linux and MacOS, for those times when I have to use them?

First three things I install on any machine - 7zip, Notepad++, alternate browser.

LOL I guess the editors using Notepad++ downvoted you :P

The article starts out by saying that Notepad++ &quot;is a text editor popular among developers&quot;. Really?

Notepad++ supply chain attack breakdown