Notepad++, one of the world’s most trusted free text editors, recently rushed out an important security update after researchers discovered a flaw that allowed attackers to push malicious update files onto users’ systems. The vulnerability affected Notepad++’s update mechanism — specifically the WinGUp (GUP.exe) tool — raising concerns about supply-chain attacks and hijacked software updates.
With the release of Notepad++ version 8.8.9, the developer has now patched the issue and added strict cryptographic protections to prevent tampered updates from ever being installed again.
How the Problem Started: Suspicious Executable Found in Updates
The first sign of trouble came from a user on the Notepad++ community forum. They noticed that during an update check, the updater spawned a mysterious file:
%Temp%\AutoUpdater.exe
This executable did not belong to Notepad++. Worse, once launched, it executed several reconnaissance commands on the system and saved the output into a file named a.txt. It then used a curl command to exfiltrate that file to:
temp[.]sh
A known service often abused in malware campaigns.
Because GUP.exe uses libcurl and not the curl.exe binary — and because Notepad++ is not supposed to gather such system information — users suspected something far more dangerous:
- Either the user had unknowingly installed a malicious Notepad++ version, or
- Attackers had hijacked the update traffic and redirected GUP to download a fake update package
Both scenarios represent serious supply-chain threats.
The First Patch: Safer Update Source (Version 8.8.8)
To quickly mitigate the possibility of network traffic redirection, Notepad++ developer Don Ho released version 8.8.8 on November 18th. This update forced Notepad++ to download updates exclusively from GitHub, reducing the risk of attackers manipulating external update URLs.
But the team didn’t stop there.
The Real Fix: Signature Verification Added in Version 8.8.9
On December 9th, Notepad++ released a stronger, permanent fix in version 8.8.9.
From this version forward:
- All update installers must be signed
- The update tool will verify the signature & certificate
- If verification fails, the update is blocked immediately
This ensures that only genuine, officially signed updates can be installed — a crucial step in preventing malicious executables from being delivered under the guise of software updates.
In the developer’s own words:
“Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers. If verification fails, the update will be aborted.”
This change dramatically improves the security of Notepad++’s update mechanism.
Was the Update URL Hijacked?
Security researcher Kevin Beaumont raised the alarm earlier this month after hearing from three organizations whose security incidents traced back to Notepad++ processes initiating the first stage of compromise.
All affected organizations had ties to East Asia, suggesting the activity may have been targeted rather than widespread.
Beaumont pointed out that the update URL:
https://notepad-plus-plus.org/update/getDownloadUrl.php?version=<version>
returns XML content that includes the download location. If attackers could intercept or modify this traffic — for instance, through ISP-level interference — they could replace the legitimate download link with a malicious one.
He noted that:
- Traffic to Notepad++’s domain is uncommon
- Interception would require sophisticated resources
- But it’s not impossible
Additionally, there is a long history of malvertising campaigns distributing fake Notepad++ installers, adding more uncertainty to the root cause.
Notepad++ maintains that the investigation is still ongoing and that the exact method of hijacking has not yet been confirmed.
What Users Should Do Now
Notepad++ strongly recommends all users:
- Update to version 8.8.9 immediately
- Remove any old custom root certificates (if previously installed)
- Ensure only official, signed installers are used
- Avoid downloading Notepad++ from third-party mirrors or ads
Since version 8.8.7, all official binaries have been signed with a valid certificate — a crucial protection against tampered installers.
Conclusion
This incident highlights a growing reality in cybersecurity: software update mechanisms are prime targets for attackers. Even well-known open-source projects like Notepad++ can become victims of sophisticated supply-chain attacks.
The swift release of versions 8.8.8 and 8.8.9 shows the developer’s commitment to transparency and user safety — but users must still take action. Updating promptly is the best defense.
If you rely on Notepad++ for work or development, updating today isn’t optional — it’s essential.
Read Now :- Hackers Exploit Gladinet CentreStack Cryptographic Flaw: What You Need to Know About the New RCE Attacks