Notepad++ updater installed malware

Status
Not open for further replies.
Kongo

Kongo

Level 39
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 25, 2017
2,797
1
19,202
3,770
25
Germany
Content source
https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
The updater integrated into Notepad++ has allowed itself to be infiltrated by malware, which has been installed on some PCs. The developer of the powerful open-source text editor is responding with an update to Notepad++ v8.8.9. Users currently have to perform the update manually.


In a news post on the Notepad++ website, developer Don Ho explains that "some security experts have reported incidents where internet traffic affecting Notepad++ was intercepted." According to the post, investigations have revealed that traffic from the Notepad++ updater WinGUp "was occasionally redirected to malicious servers, leading to the download of compromised executable files." IT security researcher Kevin Beaumont reports that at least three organizations "with interests in South Asia" have been targeted in this way.
Click to expand...
 
  • Wow
  • +Reputation
  • Like
Reactions: Brownie2019, Sorrento, silversurfer and 8 others
This incident is basically a targeted abuse of the old Notepad++ updater mechanism (WinGUp), not a full compromise of the official Notepad++ website or installer itself.

From what you quoted and what’s publicly known:

  • Attackers managed to intercept some updater traffic (likely via network-level attacks like DNS/HTTP interception or MiTM).
  • When Notepad++’s WinGUp checked for updates, its traffic was sometimes redirected to a malicious server.
  • That malicious server provided trojanized executables instead of legitimate Notepad++ updates.
  • So far, reports suggest this was targeted against “a small number” of organizations, not a mass, global compromise.
  • The developer responded with Notepad++ v8.8.9 and requires a manual update, which likely changes/locks down the update mechanism.

I can’t verify the exact technical changes in 8.8.9 beyond what’s stated in the official news post, but the general idea is: fix/disable the vulnerable updater behavior and enforce safer update handling.

What regular users should do

  1. Update manually from the official site
    Go directly to:
    Notepad++

    Download the latest installer from there (not from third-party download portals) and install over your existing Notepad++.
  2. Verify the download as much as possible
    If the developer provides hashes or signatures in the release notes, compare them. If not:
    • Submit the installer to VirusTotal before running.
    • Make sure your security suite is active and up to date, then run the installer.
  3. Check your existing installation
    If you’ve used the built-in updater recently (especially on a corporate or “interesting” network), I would:
    • Run a full, up-to-date scan with your main AV/EDR.
    • Optionally scan with a second opinion scanner (e.g. Malwarebytes, ESET Online Scanner, Kaspersky Virus Removal Tool).
    • Look for any unusual executables in the Notepad++ folder and its subfolders (but don’t delete things blindly).
  4. For organizations / admins
    If you manage endpoints in a company:
    • Check network logs or proxy logs for Notepad++ update URLs resolving to or redirecting through non-official domains.
    • If you have EDR, hunt for recent Notepad++-related executables that aren’t signed by “Don Ho” or the expected vendor.
    • Roll out the latest Notepad++ version via your normal software distribution instead of relying on the internal updater.

How serious is it?

  • It’s serious for the specific targets where traffic was intercepted and replaced with malware (this is essentially a form of supply-chain-style attack via the update channel).
  • For the average home user on a normal ISP, there’s no strong evidence this was widespread, but caution is still warranted.
  • The key risk window is: using the integrated updater before v8.8.9, while your traffic was being tampered with.

If you’re unsure whether you were affected

  • Update manually to 8.8.9+ from the official site.
  • Run one or two reputable malware scans.
  • If this is a work machine or you’re in a sensitive region/sector (especially “interests in South Asia” as mentioned), consider involving your IT/security team. They can check logs, network traces, and do proper incident response.

If you can share:
  • Your current Notepad++ version, and
  • Whether you used the built-in updater recently and on what kind of network (home, corporate VPN, etc.),
I can suggest more specific checks that would make sense in your case.
 
  • Like
Reactions: Zero Knowledge and Sorrento
TL;DR: It may be better to read the developer's note rather than the details in the media and even some details/speculations from the original security researcher's report.

Ha, this is an evolving piece, and it's clearly better to look at the details from the source documents:

From Notepad++ 8.8.9 release note:

2025-12-09

Some security experts recently reported incidents of traffic hijacking affecting Notepad++.According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables.

The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.

Mitigation:Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted.

Status:The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established.
Click to expand...
TL;DR: They still haven't reported how the network traffic redirect happened. If you read the above, it might just have appeared that once the file is downloaded, the signature and certificate may not have been checked properly in the earlier versions.

From Kevin Beaumont's report:

Victims​

I’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago.
Click to expand...
The victims appear to be from East Asia, not South Asia as reported by heise.de above.

I should also point out it is based on incomplete information, as a full picture as to what is happening isn’t yet available — this is an evolving situation.
Click to expand...
So, the explanations he gave later may be incomplete, speculative, or (in my opinion) not well explained.

How it can be abused​

If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the <Location> property.

This traffic is supposed to be over HTTPS, however it appears you may be to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.
Click to expand...
He certainly didn't explain how TLS, with the public/private key verification, was circumvented, even if they might have managed to reroute the destination server to another IP (ISP rerouting? That's a big claim).

The downloads themselves are signed — however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.
Click to expand...
Sure, it was a self-signed root cert, and the public portion of it was (is?) available on GitHub for self-installation (to verify the certificate), but he didn't explain how the private portion, used to sign the binaries, may have leaked. If the leak was true, even a publicly certified certificate wouldn't have saved this situation either.
 
Last edited:
  • Like
  • Sad
  • Applause
Reactions: Sorrento, Brownie2019, Khushal and 2 others
Recent Notepad++ releases address a vulnerability that has allowed threat actors to hijack the free source code editor’s updater.

Security researcher Kevin Beaumont reported in early December that a handful of organizations using Notepad++ had reported experiencing security incidents involving the code editor.

Beaumont said in an update this week that the attacks appeared to have been carried out by threat actors in China, with the attackers leveraging a Notepad++ vulnerability for initial access to the systems of telecoms and financial services firms in East Asia.

Notepad++ developers seem to have known about issues with the updater since at least mid-November, when version 8.8.8 release notes mentioned a security enhancement designed to prevent the application’s updater from being hijacked.

In a post published this week to announce the release of version 8.8.9, Notepad++ confirmed that traffic from the updater (WinGUp) was in some cases redirected to malicious servers, which resulted in compromised executable files being downloaded to the victim’s system.

Notepad++ developers’ investigation led to the discovery of a flaw in the way the updater validates the authenticity and integrity of update files.
In the latest version, Notepad++ and the WinGUp component verify the signature of downloaded installers during the update process, and the update is not performed if the check fails.

However, it has yet to be determined exactly how traffic has been hijacked in the wild.

Beaumont, who described the campaign as a supply chain attack, believes threat actors may be hijacking traffic at the ISP level to push malicious updates, but pointed out that significant resources are required to conduct such an attack.
Click to expand...
www.securityweek.com

Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Recent Notepad++ releases address a vulnerability that has allowed threat actors to hijack the free source code editor’s updater.
www.securityweek.com www.securityweek.com
 
Last edited by a moderator:
  • Like
  • Wow
Reactions: Sorrento, lokamoka820 and Zero Knowledge
This is a pretty significant reminder that even “simple” tools like editors can be used for initial access.

What seems to have happened
From what you quoted and what’s publicly known so far:

  • The weakness was not in the Notepad++ binaries themselves, but in the updater component (WinGUp).
  • The updater’s integrity/authenticity checks were insufficient, so if an attacker could redirect the updater’s traffic, they could feed it a malicious “update” EXE.
  • Notepad++ devs have now:
    • Improved the updater logic.
    • Added signature verification of downloaded installers in 8.8.9 (and 8.8.8 already mentioned related hardening).
  • The exact traffic hijack method in the wild is still unclear, but the suggestion is some sort of network-level redirection (e.g. at ISP or similar).

So the attack chain, simplified, looks like:
Notepad++ → checks for update → traffic hijacked → malicious installer delivered → attacker gains code execution under the user’s context.​

Who is realistically at risk?
Based on what’s been shared:

  • So far this looks targeted: telecoms and financial organizations in East Asia.
  • The campaign likely required substantial access/resources (e.g. ISP-level manipulation), not run-of-the-mill home router malware.
  • There’s no evidence (currently) that every Notepad++ user worldwide was being mass-targeted.

That said, the underlying flaw is generic: if someone can hijack your traffic, this is exactly the kind of weakness they’d abuse.

What you should do as a regular user

  • Update Notepad++ to the latest version (at least 8.8.9 or newer).
    • Prefer downloading the installer directly from the official site: Notepad++
    • Avoid third‑party mirrors when something like this is in the news.
  • Consider a fresh reinstall if you’re paranoid or were using a vulnerable build in a high‑risk environment:
    • Uninstall existing Notepad++.
    • Download current installer from official site.
    • Install fresh.
  • Run a reputable AV/EDR scan on your system:
    • Use your main security suite to do a full scan.
    • Optionally, add a second opinion scanner (e.g. ESET Online Scanner, Kaspersky Virus Removal Tool, etc.).

I can’t tell you whether your Notepad++ installation was abused – that would require logs and forensic analysis – but the above steps are prudent.

Extra steps for more security‑conscious / enterprise users

  • Check your logs:
    • Windows Event Logs around the times Notepad++ was updated.
    • Notepad++ installation/update folders for unexpected EXEs or DLLs.
  • Verify binaries from that period:
    • Check digital signatures on Notepad++.exe and related files (right‑click → Properties → Digital Signatures).
    • If signatures look off or missing, replace with a clean install and investigate further.
  • Harden update traffic where possible:
    • Restrict outbound traffic from sensitive servers.
    • Use HTTPS/TLS interception and inspection with validation to spot tampered downloads (if acceptable in your environment).
    • Prefer software that supports strong, enforced code-signing and secure update channels.

Bottom line
If you use Notepad++:

  • Update to the latest version now (8.8.9+).
  • Download only from the official site.
  • Run a full AV scan if you were on older builds, especially in a high‑risk or corporate environment.

If you’re in an affected sector or region and suspect compromise, it’s best to involve your internal security team or a professional incident response firm, and also keep an eye on official Notepad++ announcements for more technical details as they surface.
 
  • Like
Reactions: Andrew999 and Zero Knowledge
I am beginning to doubt the auto-update/auto-download mechanisms of different software, as the level of carefulness seems to vary. This one didn't check the signature (before the update); an AV vendors downloaded using HTTP instead of HTTPS. I have started wondering if always downloading a new installation would be a better strategy because, at least, people almost always run these through VirusTotal (and the associated automatic sandboxes). This is not fool-proof, but at least there have been more checks on the new packages.
 
  • Like
  • Applause
Reactions: lokamoka820, Brownie2019, Sorrento and 2 others
Sorrento said:
Just had to look as I'm using an alternative Notepad, & its Notepad Classic, this is why this forum is so useful as I may not know of such things.
Click to expand...
Me too; it's pre-installed on W 11 IoT LTSC, simple, fast, and just do the job intended to.
If you need dark mode badly, there is a registry file to apply, but I avoid playing with registry using files from untrusted sources.
 
  • Like
Reactions: Khushal and Sorrento
Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.

...

According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.

...

I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.

...

To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices.
Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.
Click to expand...
I wonder how they targeted the users: by IP addresses? That would mean they already have a list of IPs of interest. But the CGNAT IPv4 IPs + Android-Windows IPv6 IPs change all the time. 🤷‍♂️
 
  • Like
  • Applause
Reactions: Sorrento, Brownie2019, Khushal and 1 other person
Wrecker4923 said:
I wonder how they targeted the users: by IP addresses? That would mean they already have a list of IPs of interest. But the CGNAT IPv4 IPs + Android-Windows IPv6 IPs change all the time. 🤷‍♂️
Click to expand...
I have doubts regarding targeting specific users; they just tampered the update servers; do they control which IP connects to which server?!
 
  • Like
Reactions: Sorrento, Wrecker4923 and Khushal
In response to this episode, Notepad++ has dropped its previous shared hosting arrangement for a provider with better security protocols. This shift highlights the need for developers to ensure third parties that they rely on also have a robust security posture.

If you have attempted to update Notepad++ between June and December, you may have accidentally downloaded malicious binaries. The attackers used known weaknesses in older versions of the software, such as insufficient update verification controls, to facilitate the compromise.

Users are advised to ensure they are running at least version 8.8.9.

Click to expand...
 
  • Like
Reactions: Sorrento
Screenshot_2-2-2026_181234_x.com.jpeg
 
Last edited by a moderator:
  • Like
Reactions: Sorrento, Brownie2019 and Khushal
Status
Not open for further replies.

You may also like...