Security alert for Notepad++ users

Security alert for Notepad++ users

Notepad++ has released version 8.8.9 to address a critical security weakness in its WinGUp (GUP.exe) update tool, following reports that malicious executables were being retrieved instead of legitimate update packages.

The issue surfaced after users observed the updater spawning an unknown executable (AutoUpdater.exe) that performed system reconnaissance and exfiltrated data to an external file-sharing service commonly used in malware campaigns.

While it remains unclear whether the root cause was:

• a network traffic hijack,
• malvertising leading to fake installers, or
• a targeted supply-chain style attack,

security researchers confirmed hands-on-keyboard threat actor activity in affected environments.

✅ What’s changed in Notepad++ 8.8.9

• Updates are now verified using the developer’s code-signing certificate
• Any installer that fails signature validation is blocked
• Update sources are restricted to official GitHub downloads

“If verification fails, the update will be aborted.” — Notepad++ security notice

🔎 Why this matters

This incident highlights how software update mechanisms can be abused as an initial access vector, even for trusted and widely used tools.

🛡️ Recommended actions

✔ Upgrade to Notepad++ v8.8.9 immediately
✔ Remove any custom root certificates installed previously
✔ Avoid downloading installers from unofficial sources
✔ Monitor endpoints for unusual child processes or outbound traffic

Supply-chain security and update integrity matter — even for everyday developer tools.