Notepad++ has released version 8.8.9 to fix a security issue in its WinGUp update tool after users and researchers reported that the updater was pulling malicious files instead of official update packages.
The problem became public when a community forum user noticed that Notepad++’s GUP.exe automatically launched an unknown file named AutoUpdater.exe from the Temp folder. This file began running system commands to gather information such as network connections, system details, running tasks, and the current user, saving everything into a file called a.txt.
The malicious updater then used curl commands to upload the collected data to temp[.]sh, a service known for being abused in past malware campaigns. Since the real WinGUp uses the libcurl library and does not perform such actions, users initially suspected that the affected person may have downloaded a fake version of Notepad++, or that their network traffic was hijacked during the update process.
To reduce the risk of hijacked traffic, Notepad++ developer Don Ho first released version 8.8.8 on November 18, which restricts update downloads to GitHub only. A stronger fix arrived on December 9 with version 8.8.9. This new release verifies digital signatures and certificates of update files, and if the signature does not match, the update is immediately stopped. The developer confirmed that both Notepad++ and WinGUp now reject any unsigned or suspicious installers during the update process.
Security researcher Kevin Beaumont also reported that at least three organizations experienced security incidents linked to Notepad++. According to him, Notepad++ processes were used as the entry point for attackers, leading to hands-on activity inside targeted systems. All affected organizations had interests in East Asia, and the incidents appeared highly targeted. Beaumont suggested that attackers might have intercepted Notepad++’s update traffic and replaced the official download link with a malicious one.
Since Notepad++ communicates with an update URL that returns an XML file containing the new version’s download link, any hijacking of this traffic would allow attackers to redirect users to a fake installer.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The method of interception is still unclear, and the Notepad++ team says the investigation is ongoing. They also warned that malicious versions of Notepad++ are often distributed through malvertising campaigns, which may also be connected to the recent incidents. The developer urges all users to upgrade immediately to version 8.8.9. They also reminded users that all official installers since version 8.8.7 are digitally signed, and anyone using older custom root certificates should remove them for safety.
