The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project.
Although, at the time of writing, the lookalike website takes visitors to the official Notepad++ downloads page, there is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack.
"Help us to take down the parasite website"
Notepad++, the free and open-source text and source code editor project has appealed to everyone to help shut down a lookalike website, notepad[.]plus that uses the project's branding, and even manages to rank high in search engine results alongside the official website, notepad-plus-plus.org.
"I’ve received numerous complaints via email, social media, and forums regarding a website that poses a significant threat to our community," writes Don Ho, the original developer of Notepad++.
The site in question notepad[.]plus, according to Ho, comes up prominently in search results when users look up "download Notepad++", as confirmed by BleepingComputer:
"Some users have mistakenly believed that [it] is the official Notepad++ website. This confusion has led to frustration and potential security risks," states the dev.
The website in question does contain a clear disclaimer at the bottom spelling out that it's "an unofficial fan website" and "not affiliated" with the project.
Fan site presently redirects to official releases
It is worth noting the fan site directs visitors to the official Notepad++ releases downloads page hosted on notepad-plus-plus.org.
Despite this, Ho alleges that "this site harbors a hidden agenda" and is "is riddled with malicious advertisements on every page."
Such ads, according to Ho, could deceive unsuspecting Notepad++ users into clicking on links that generate revenue for admins of the unofficial website.
"The true purpose" of, what Ho has called a "parasite website" is, according to him, "to divert traffic away from the legitimate Notepad++ website, notepad-plus-plus.org" which potentially "compromises user safety and undermines the integrity of our community."
BleepingComputer checked both the latest version of the notepad[.]plus website and archived copies from the past.
While the site's home page does contain an area at the top that appears to be purposed for hosting ad banners, we did not find an active ad running in that space or any other promotional links on the website. We did notice multiple educational and how-to blog posts on using Notepad++.
The developer urges everyone to report the website via Google Safebrowsing's "report malicious software" web form.
Such an approach, however, may not be fruitful given that presently no malicious software releases are being pushed by the unofficial site, or anything that warrants it to be classified as blatantly unsafe. Moreover, the aforementioned disclaimer put in place by the website may safeguard it against such accusations.
The Notepad++ logo and branding used by the website, on the other hand, could still fall afoul of trademark rules.
Technology reporter Catalin Cimpanu shared Notepad++'s blog post in a Mastodon thread.
Many community members began reporting the unofficial website, although, one developer echoed that reporting the site for shipping malicious software may be "erroneous."
"I genuinely don't understand this. This post is full of very charged language... But I went to the site and I really don’t see anything wrong with it," writes Robby Zambito.
"The download buttons even redirect to this Notepad++ site; they're not distributing any software themselves. They say this site is "a threat to the community"… but it is the community. It sounds more like a threat to their control over maintenance of the software which just doesn't seem like a big deal to me."
"Sure, they might gain trust and then eventually start shipping malware instead. But so could the people who run the notepad-plus-plus site," states Zambito.
The observation is especially relevant at a time when large-scale open-source projects, such as the XZ utility, had a backdoor injected in it by a developer who gained the trust of official project maintainers but went rogue. Similar stories of "vetted" researchers contributing malicious code to official projects aren't unheard of.
Such cases of wrongdoing are eventually caught, thanks to the numerous sharp-eyed community members who constantly scrutinize the open source ecosystem.
Given the popularity of Notepad++, its users are also frequently targeted with counterfeit trojanized versions by threat actors. As such, consuming open source projects like Notepad++ from their official websites and repositories remains a much safer approach than otherwise.
Comments
xmris - 2 months ago
Thanks for the info, I am not using N++ , but pissed off by losers like that bad site.
Guys you may consider reporting that domain as well to their registrar : abuse@namecheap.com
U_Swimf - 2 months ago
doubt namecheap does anything. but we'll see. If they do, it'll popup elsewhere as another company or website under a different host. Seems to be plenty with immunity from liability, and so a lot have no interest in doing the idealogical thing.
b1k3rdude - 2 months ago
done and done.
nauip - 2 months ago
notepad[.]plus appears to be down, currently.
U_Swimf - 2 months ago
This is the internets geatest achillies heel. There is no significant immediate reason why the website should be taken down when mannyyy businesses are created legitimately all the time from ppl thinking it's X when it's really Y.
It only becomes valuable when Y gathers enough support or finances to leverage their resources. Such as selling them back to which where they were misdirected from. Often by way of proxy, shared link, or some other way of controlled and managed services.
I think it should get taken down but isnt exactly fair to do. Lots of people use third party services to access or login and manage like their Google accounts and never even consider how many servers, computers, services - figurative 'hands' end up touch their credentials.
The fk Notepad ++ want people to honestly do? Google contended with this problem for a long time before acting like 'well if u cant beat em, invite em to join you, " then hit them with the contracts and policies, etc