Vulnerability in Notepad++ Allowed Distribution of Malicious Updates

Notepad++ released version 8.8.9 to fix a vulnerability in its auto-update mechanism that allowed attackers to distribute malware instead of legitimate updates. The flaw enabled man-in-the-middle attacks that redirected update downloads to malicious executables.

Users first reported the issue on Notepad++ community forums. One user noted that the update tool GUP.exe (WinGUp) launched a suspicious file, %Temp%\AutoUpdater.exe, which began collecting system information.

The malware ran reconnaissance commands and saved results to a.txt: netstat output, system information, running processes, and user account details. The malware then used curl.exe to send the file to temp[.]sh, a text-sharing service linked to other malicious campaigns.

Forum participants suspected either an infected unofficial Notepad++ build or intercepted update traffic, since GUP uses libcurl (not curl.exe) and doesn't collect system information.

Patch Timeline

Developer Don Ho released version 8.8.8 on November 18, switching update downloads exclusively to GitHub. This proved insufficient. Version 8.8.9 shipped December 9 with stronger protection: Notepad++ now refuses to install updates lacking the developer's digital signature.

"Starting with this release, Notepad++ and WinGUp verify the signature and certificate of downloaded installers during the update process. If verification fails, the update will be aborted," per the official announcement.

In early December, security researcher Kevin Beaumont reported three organizations experienced security incidents tied to Notepad++.

"I have been approached by three companies that experienced security issues on machines with Notepad++ installed. It appears processes from the editor were used as an initial access point," Beaumont wrote. "Ultimately, the threat actors operated manually."

All affected organizations have interests in East Asia, suggesting targeted attacks.

Attack Vector

When Notepad++ checks for updates, it contacts notepad-plus-plus.org/update/getDownloadUrl.php with a version number. The server returns XML containing the update path, typically pointing to GitHub releases.

Beaumont suggested attackers compromised the auto-update mechanism by intercepting and modifying this traffic. "If this traffic is intercepted and modified, the download can be redirected to any address by changing the URL in the Location property," Beaumont explained. "Since traffic to notepad-plus-plus.org is relatively infrequent, it's possible to intercept it within the provider's chain and redirect the download. But large-scale operations of this kind require significant resources."

Beaumont noted attackers also use malvertising to distribute infected Notepad++ versions that install malware.

The official Notepad++ security bulletin states the investigation continues, and the exact interception method remains undetermined.

Users should update to version 8.8.9 immediately. Starting with version 8.8.7, all official binaries and installers are signed with a valid certificate. Users who installed an old custom root certificate should remove it.