Notepad++ Updates Channel After Security Breach

The developers of Notepad++, a widely used text and source code editor for Windows, have released a critical update to secure its software distribution channel following a significant security breach. This move addresses vulnerabilities that were exploited last year, aiming to prevent any repeat of the incident where attackers hijacked the update mechanism to deliver malware. Users are strongly advised to update to the latest version immediately to benefit from these crucial security enhancements.

The maintainer of Notepad++, Don Ho, confirmed the details of the attack earlier this month. The compromise allowed malicious actors to intercept communications between the software’s updater client and its official servers. This interception enabled them to substitute a legitimate software update with a harmful one, which would then execute on users’ systems.

The attack exploited specific weaknesses in the older update process. Prior to version 8.8.8, released in November 2025, the XML file that contained the download link for updates was not cryptographically signed. This lack of a signature allowed attackers to redirect the auto-updater, a tool called WinGUp, to download an update from a malicious domain instead of the official GitHub repository. A subsequent vulnerability existed in versions before 8.8.9, released in December 2025, where WinGUp would not verify the code signing certificate or validate the digital signature on the downloaded installer before proceeding with the update.

With the new release, version 8.9.2, the development team has finalized a series of security improvements. The update now implements verification for the signed XML file that directs the updater, a process that began with the earlier v8.8.8 release. According to Ho, the combination of verifying both the signed XML and the signed installer downloaded directly from GitHub has rendered the Notepad++ update process “effectively unexploitable.”

Additional hardening measures have been applied to the WinGUp component itself. To eliminate risks associated with DLL side-loading, the dependency on libcurl.dll has been removed. The updater has also disabled two insecure cURL SSL options and now restricts plugin management execution to only those programs signed with the same certificate as WinGUp, adding further layers of defense.

This security overhaul responds to a supply chain compromise that occurred in June 2025, when hackers gained access to the project’s shared hosting server. Although the attackers lost direct server access in early September 2025 after kernel and firmware updates, they retained credentials for internal project services on that server until early December. During this period, security researchers from firms like Rapid7 and Kaspersky analyzed the malicious updates. They found the attacks delivered payloads such as Cobalt Strike Beacon and the Chrysalis backdoor, tools used to establish covert command and control channels on infected machines.

Initially, it appeared the campaign focused on organizations in Southeast Asia and South America. However, subsequent investigations by Palo Alto Networks revealed that entities in the United States and Europe also received the malicious updates, indicating a broader potential impact.

For safety, all users should ensure they are running the latest patched version of the software. It is also critically important to download Notepad++ only from its official GitHub repository or the official project website. Cybercriminals frequently create spoofed websites offering fake downloads, which are commonly used to distribute various forms of malware.

(Source: HelpNet Security)