Malware News Notepad++ updater installed malware

Screenshot_2-2-2026_181234_x.com.jpeg
 
Last edited by a moderator:
  • Like
Reactions: Sorrento, Brownie2019 and Khushal
Notepad++ addressed a flaw in its updater that allowed attackers to hijack update traffic due to improper authentication of update files in earlier versions.

Beaumont explained that although downloads are signed, older Notepad++ versions used a self-signed root certificate publicly available on GitHub, weakening validation. Because traffic to notepad-plus-plus.org is rare, ISP-level redirection is feasible for well-resourced actors.

securityaffairs.com

Notepad++ fixed updater bugs that allowed malicious update hijacking

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication.
securityaffairs.com securityaffairs.com
Click to expand...
 
  • Like
Reactions: Sorrento
Sorrento said:
Just had to look as I'm using an alternative Notepad, & its Notepad Classic, this is why this forum is so useful as I may not know of such things.
Click to expand...
I have been using notepad++ for many years and still use it. I have even donated them twice. But i still use it despite this disclosure. Fortunately in Q2 2025, i was not hit by their updater malware as i use winget to update my apps.
 
  • Applause
Reactions: Sorrento and Parkinsond
Khushal said:
winget tells me where file is being fetched from which is github in this case.
Click to expand...
The source of update file for Notepad ++ was not the problem; the file was downloaded from their own server, but it was tampered, as far as I can get.

If it is a dns spoofing, it would be blocked by secure dns provider.
 
  • HaHa
Reactions: Khushal
Parkinsond said:
The source of update file for Notepad ++ was not the problem; the file was downloaded from their own server, but it was tampered, as far as I can get.

If it is a dns spoofing, it would be blocked by secure dns provider.
Click to expand...
I suppose u reread my comments and the article for more details but when i have mentioned github, i think it was clear what the problem was. The vuln was in Wingup not in Winget so i don't know what are u talking about. If i am downloading from Winget a microsoft certified app from github another Microsoft owned site how the hell it can be dns spoofing etc. I fortunately was able to reduce the attack vectors by avoiding Wingup and using Winget.
Also it is almost certain it is act of a Chinese Apt group which used such advanced TTPs.
 
  • Like
Reactions: Wrecker4923 and Parkinsond
Khushal said:
I suppose u reread my comments and the article for more details but when i have mentioned github, i think it was clear what the problem was. The vuln was in Wingup not in Winget so i don't know what are u talking about. If i am downloading from Winget a microsoft certified app from github another Microsoft owned site how the hell it can be dns spoofing etc. I fortunately was able to reduce the attack vectors by avoiding Wingup and using Winget.
Also it is almost certain it is act of a Chinese Apt group which used such advanced TTPs.
Click to expand...
However, is still unclear how attackers hijacked updater traffic in the wild. Beaumont speculates threat actors may have intercepted traffic at the ISP level to deliver malicious updates, though this would require substantial resources.

securityaffairs.com

Notepad++ fixed updater bugs that allowed malicious update hijacking

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication.
securityaffairs.com securityaffairs.com
Click to expand...
If the above mentioned correct, then winget or notepad++ does not matter.
 
  • Like
Reactions: Sorrento
Parkinsond said:
Speculations because no body knows the exact scenario of the infection process; all the possibilities are on the table.
Click to expand...
A hijacked hosting provider account modified the getDownloadUrl.php script to redirect specific targets' WinGUp requests to malicious servers.

This is why the remediation focuses on updating to v8.8.9+ (which enforces strict verification) and resetting hosting credentials, rather than "unknown" possibilities like a source code compromise.

Post in thread 'Notepad++ updater installed malware' Malware News - Notepad++ updater installed malware
 
  • Like
  • Thanks
Reactions: Wrecker4923, Jonny Quest and Khushal
Khushal said:
I think it is pretty clear. Plus from Dec 9th 50+ days from original discovery.
Click to expand...
Did not answer my previous inquiry; cannot files on github (update files) get compromised, just as they are supposed to be compromised on the culprit update server?
 
Parkinsond said:
Did not answer my previous inquiry; cannot files on github (update files) get compromised, just as they are supposed to be compromised on the culprit update server?
Click to expand...
Could files on GitHub be compromised? Yes, theoretically, if the developer's GitHub credentials were stolen. Were they compromised in this incident? No. The evidence confirms the breach was strictly isolated to the web hosting provider and the update manifest logic, not the Git repository or the GitHub release assets.

Target
The notepad-plus-plus.org web server.

Mechanism
Attackers hijacked the getDownloadUrl.php script.

Action
When the updater asked "Where is the file?", the compromised script lied and pointed to a malicious IP instead of the legitimate GitHub URL.

Result
The updater went to the wrong location. The legitimate files on GitHub were never touched, the updater just never went there.
 
  • Like
  • Thanks
Reactions: Wrecker4923, Khushal and Jonny Quest
Khushal said:
Not necessarily.
https[:]//notepad-plus-plus.org/update/getDownloadUrl.php server was only compromised.
Click to expand...
The same way such a server was compromised, the one on github can also.
What safeguard is not the server destination, it is the ability of the updater to check for update file hash compatibility.
 
  • Like
Reactions: Sorrento

You may also like...