We Have a Problem With Free Software

I've been doing IT work for 25 years. Federal contracts, defense, enterprise. I've touched a lot of systems in a lot of environments, including some I can't talk about.

And on almost every single one of them, I've seen Notepad++ installed.

It's just there. Part of the furniture. Nobody thinks about it. It's a text editor—what's to think about?

Well, now we know.

What Happened

Last month the full story came out. Chinese state-sponsored hackers—APT31, also known as Violet Typhoon—compromised Notepad++'s update mechanism. From June to December 2025, they were able to selectively redirect update traffic and deliver malware to targeted organizations.

The targets were telecommunications and financial services companies in East Asia. The attack was surgical. If you weren't on the list, you probably never got the malicious payload. If you were, you had no idea until it was too late.

Six months. That's how long they had access before anyone noticed.

Here's What Bothers Me

It's not that Notepad++ got hacked. Any software can get hacked.

It's that we built critical infrastructure on top of free tools maintained by one guy in France, and nobody stopped to ask if that was a good idea.

Don Ho has been maintaining Notepad++ for over 20 years. By himself. For free. That's an incredible contribution to the community, and I'm not blaming him for anything. He built something useful and gave it away.

But somewhere along the line, we started treating "free and widely used" as the same thing as "vetted and secure." They're not.

I've been in environments where we had to justify every piece of software, document the supply chain, verify there were no foreign dependencies. And then I'd look at the baseline image and see Notepad++ sitting there. PuTTY. 7-Zip. Tools that nobody ever questioned because they'd been on the approved list since 2008.

Ask the average system admin where 7-Zip comes from. Most don't know it's maintained by one developer in Russia. They just know it opens ZIP files and it's free.

The Real Problem

This isn't about Notepad++ specifically. It's about a pattern.

We've been running our infrastructure on software that:

• • Is maintained by single individuals with no security team
• • Is developed overseas, often in countries we have complicated relationships with
• • Is written in C or C++ from 20 years ago, before modern memory safety practices
• • Has no formal security audit, no SBOM, no supply chain documentation
• • Updates through mechanisms that nobody verifies

And we do this because it's free and it works.

I get it. Budgets are tight. Procurement is painful. If something works and doesn't cost anything, you use it. I've made those same decisions.

But the threat environment has changed. SolarWinds showed that supply chain attacks work. 3CX showed they work across multiple hops. Now Notepad++ shows they work on tools so boring that nobody even thinks of them as attack surface.

What I'm Thinking About

I don't have all the answers here. But I've been thinking about this a lot since the news broke.

There's a gap in the market. Not for "better" free tools—that's just shifting the risk to a different single maintainer. But for software built specifically for environments where supply chain integrity matters. Software where "we don't phone home" and "we don't auto-update" and "we document our dependencies" aren't afterthoughts, they're the point.

Software that costs money, because sustainable security requires sustainable business models. Asking one person to maintain critical infrastructure for free forever isn't a plan. It's just hoping nothing goes wrong.

I'm not saying everyone needs to throw out their free tools tomorrow. But maybe it's time to start asking harder questions about the stuff we've been taking for granted.

Who maintains this? Where do they live? What happens if they get compromised—or just decide to stop? What's actually in this binary I'm deploying to 10,000 machines?

If you're in government or defense IT, those questions should be keeping you up at night.