Notepad++ fixes vulnerability that let attackers push malicious update files

Du'aine Davis · 2025-12-12T11:40:57+00:00

For awareness * Since mid-November, a small number of organisations, primarily with interests in East Asia, reported incidents where Notepad++ processes initiated unauthorised access. These attacks involved hands-on-keyboard activity and appear highly targeted, starting roughly two months ago. The issue surfaced after…

Du'aine Davis

For awareness

Since mid-November, a small number of organisations, primarily with interests in East Asia, reported incidents where Notepad++ processes initiated unauthorised access. These attacks involved hands-on-keyboard activity and appear highly targeted, starting roughly two months ago. The issue surfaced after changes to the Notepad++ updater aimed at hardening against hijacking.
The suspected vector is abuse of the Notepad++ auto-update mechanism (GUP/WinGUP), which retrieves updates via URLs defined in gup.xml. Earlier versions lacked robust integrity checks, allowing potential tampering if traffic was intercepted (e.g., ISP-level TLS interception). Attackers may inject malicious executables (e.g., AutoUpdater.exe) into the update chain, leveraging curl.exe for recon.
Organisations should ensure Notepad++ is updated to version 8.8.8 and avoid using auto-update, prefer manual installation from the official site. Monitor for anomalous behaviour:
- gup.exe making network calls outside notepad-plus-plus.org or GitHub domains.
- Unexpected subprocesses or files like update.exe or AutoUpdater.exe in %TEMP%.
- Validate digital signatures (GlobalSign) on updater binaries.
- Blocking gup.exe or restricting Notepad++ internet access may be considered for enterprises.

Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++
Small numbers of Notepad++ users reporting security woes | by Kevin Beaumont | Dec, 2025 | DoublePulsar

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

Historic Notepad++ Supply‑Chain Compromise Shows Broader Targeting
For awareness

Between mid‑August and November 2025, previously reported Notepad++ supply‑chain abuse was found to have broader historic targeting. Beyond initial Southeast Asian government and critical‑infrastructure victims, additional activity affected organisations in Europe, the US and South America, particularly system administrators and developers whose use of Notepad++ granted high‑privilege access.
State‑sponsored actor Lotus Blossom compromised shared hosting supporting Notepad++ updates, enabling adversary‑in‑the‑middle redirection. Selected victims received malicious NSIS installers instead of legitimate updates. Infection chains used Lua script injection and DLL sideloading (via a legitimate Bitdefender binary) to deploy Cobalt Strike and the Chrysalis backdoor for covert persistence.
Organisations were advised to enforce manual updates to secured Notepad++ versions, and use Microsoft Defender to alert on anomalous gup.exe behaviour, unsigned installers, DLL sideloading from non‑standard paths, Lua script execution, and rapid outbound C2 connections following update activity.

Nation-State Actors Exploit Notepad++ Supply Chain

See what's trending

Click on a tag to discover all the published content related to it.