A security vulnerability in the Notepad++ update mechanism has been exploited to spread malicious code. What began as a report within the Notepad++ community at the end of October was later confirmed to be a structural weakness in the updater.
Analysis by BleepingComputer shows that attackers were able to execute malware via this mechanism. Notepad++ has since released a fix in version 8.8.9.
The first signs appeared on the official Notepad++ forum, where a user reported that during an automatic update, an unknown executable, %Temp%AutoUpdater.exe, was launched from the Notepad++ process and the updater gup.exe(WinGUp). This executable collected system information via standard Windows commands and stored the output in a file named a.txt.
Further investigation revealed that this file was uploaded to temp.sh, a public file hosting service, using curl.exe. This behavior deviates from the normal operation of Notepad++, which does not use a standalone curl binary and does not collect system information. Developers and moderators within the community confirmed that this was not legitimate functionality.
It was notable that the Notepad++ binaries used matched official releases. This indicated that the application had not been replaced, but that the update process had been exploited to execute additional malicious code. Initially, it remained unclear whether this was a local compromise or manipulation of the update traffic.
In early December, BleepingComputer provided more clarity. It turned out that WinGUp did not perform cryptographic verification on downloaded installers up to and including version 8.8.8. The updater did check for new versions, but did not validate whether the installation file was signed with the official code signing certificate. This allowed an attacker who managed to intercept or redirect the update traffic to execute a malicious executable.
Affected companies have interests in East Asia
Researchers report that several organizations investigated incidents in which Notepad++ processes were the initial point of entry. In these cases, active exploration by attackers followed, indicating targeted attacks. All organizations involved had interests in East Asia.
The update process used an XML endpoint on notepad-plus-plus.org that returns a download location for the latest version. By manipulating this traffic, the URL could be modified. Because the updater did not perform signature verification, the file was launched without further verification.
Notepad++ took initial action in November by limiting updates to GitHub downloads in version 8.8.8. Version 8.8.9 followed on December 9, in which both Notepad++ and WinGUp check the digital signature and certificate of installers. If that verification fails, the update is aborted.
According to the developers, the investigation into the exact method of attack is still ongoing. However, users are strongly advised to upgrade to version 8.8.9.
Also read: Meta warns of critical vulnerability in React Server Components