Open source software

Notepad++ users take note: It’s time to check if you’re hacked

Biz & IT, notepad, Open source software, Security, supply chain attacks / Rejus Almole / February 2, 2026

According to independent researcher Kevin Beaumont, three organizations told him that devices inside their networks that had Notepad++ installed experienced “security incidents” that “resulted in hands on keyboard threat actors,” meaning the hackers were able to take direct control using a web-based interface. All three of the organizations, Beaumont said, have interests in East Asia.

The researcher explained that his suspicions were aroused when Notepad++ version 8.8.8 introduced bug fixes in mid-November to “harden the Notepad++ Updater from being hijacked to deliver something… not Notepad++.”

The update made changes to a bespoke Notepad++ updater known as GUP, or alternatively, WinGUP. The gup.exe executable responsible reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves a URL for the update from a file named gup.xml. The file specified in the URL is downloaded to the %TEMP% directory of the device and then executed.

Beaumont wrote:

If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property.

This traffic is supposed to be over HTTPS, however it appears you may be [able] to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.

The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.

Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources.

Beaumont published his working theory in December, two months to the day prior to Monday’s advisory by Notepad++. Combined with the details from Notepad++, it’s now clear that the hypothesis was spot on.

Notepad++ users take note: It’s time to check if you’re hacked Read More »

Razer built a game-streaming app on top of Moonlight, and it’s not too bad

game streaming, gaming, GPL, GPL 3, Moonlight, NVIDIA, Open source software, pc remote play, razer, razer pc remote play, sunshine / Paul Patrick / April 15, 2025

I intentionally touched as few settings as I could on each device (minus a curious poke or two at the “Optimize” option), and the experience was fairly streamlined. I didn’t have to set resolutions or guess at a data-streaming rate; Razer defaults to 30Mbps, which generally provides rock-solid 1080p and pretty smooth 1440p-ish resolutions. My main complaints were the missing tricks I had picked up in Moonlight, like holding the start/menu button to activate a temporary mouse cursor or hitting a button combination to exit out of games.

Razer’s app is not limited to Steam games like Steam Link or Xbox/Game Pass titles like Remote Play and can work with pretty much any game you have installed. It is, however, limited to Windows and the major mobile platforms, leaving out Macs, Apple TVs, Linux, Steam Deck and other handhelds, Raspberry Pi setups, and so on. Still, for what it does, it works pretty well, and its interface, while Razer-green and a bit showy, was easier to navigate than Moonlight. I did not, for example, have to look up the launching executables and runtime options for certain games to make them launch directly from my mobile device.

Streaming-wise, I noticed no particular differences from the Moonlight experience, which one might expect, given the shared codebase. The default choice of streaming at my iPad’s native screen resolution and refresh rate saved me the headaches of figuring out the right balance of black box cut-offs and resolution that I would typically go through with Steam Link or sometimes Moonlight.

Razer built a game-streaming app on top of Moonlight, and it’s not too bad Read More »

Large enterprises scramble after supply-chain attack spills their secrets

Biz & IT, Open source software, Security, supply chain attack, tj-actions / Rejus Almole / March 17, 2025

Open-source software used by more than 23,000 organizations, some of them in large enterprises, was compromised with credential-stealing code after attackers gained unauthorized access to a maintainer account, in the latest open-source supply-chain attack to roil the Internet.

The corrupted package, tj-actions/changed-files, is part of tj-actions, a collection of files that’s used by more than 23,000 organizations. Tj-actions is one of many Github Actions, a form of platform for streamlining software available on the open-source developer platform. Actions are a core means of implementing what’s known as CI/CD, short for Continuous Integration and Continuous Deployment (or Continuous Delivery).

Scraping server memory at scale

On Friday or earlier, the source code for all versions of tj-actions/changed-files received unauthorized updates that changed the “tags” developers use to reference specific code versions. The tags pointed to a publicly available file that copies the internal memory of severs running it, searches for credentials, and writes them to a log. In the aftermath, many publicly accessible repositories running tj-actions ended up displaying their most sensitive credentials in logs anyone could view.

“The scary part of actions is that they can often modify the source code of the repository that is using them and access any secret variables associated with a workflow,” HD Moore, founder and CEO of runZero and an expert in open-source security, said in an interview. “The most paranoid use of actions is to audit all of the source code, then pin the specific commit hash instead of the tag into the … the workflow, but this is a hassle.”

Large enterprises scramble after supply-chain attack spills their secrets Read More »