Notepad++ tightens update security after suspected hijack attempts

Notepad++ has started blocking unsigned updates after reports that its built-in updater delivered malicious executables to some systems.

Rogue updater behavior raises alarm

The issue surfaced when a community user saw GUP.exe, Notepad++’s updater, spawn an unexpected AutoUpdater.exe file in the Temp folder. Instead of fetching a routine patch, the program ran commands to list network connections, system details, running processes and the current user, then saved the results to a.txt.

The executable then used curl to upload a.txt to temp[.]sh, an anonymous file-sharing service, previously seen in malware campaigns. Because the legitimate WinGUp component only uses the libcurl library internally and does not launch curl.exe or perform host reconnaissance, the activity suggested either a trojanized installation or interference with the update channel.

Developer rolls out stricter update controls

To restrict the possibility of network-level tampering, the developer released Notepad++ 8.8.8 in November, changing configuration so that update packages are downloaded solely from GitHub. Limiting trusted sources makes it harder for attackers to abuse compromised infrastructure or spoof alternative mirrors.

A stronger fix followed on Dec 9 with version 8.8.9. The new build verifies the digital signature and certificate of any installer retrieved by the updater and aborts if validation fails. Even if a threat actor redirects the download URL, an unsigned or improperly signed payload should no longer execute through the normal update process.

Targeted intrusions and guidance for users

Security researcher Kevin Beaumont says several organizations have reported incidents where Notepad++ processes appear linked to initial access. Notepad++ relies on a web endpoint that returns XML metadata, including the download location for the latest version, creating an opening for attackers who can intercept and modify that response.

While the project continues to investigate possible traffic hijacking, users are urged to upgrade to version 8.8.9, rely only on officially signed installers, remove older custom root certificates, and treat any unusual update behavior as a potential compromise.

Securing your digital parameter

Dedicated security software like Bitdefender Ultimate Security blocks malicious executables delivered through tampered or hijacked update channels with real-time threat detection and multi-layer malware defense.

It also shields your identity and credentials with breach monitoring, secure VPN and advanced anti-phishing tools, reducing the chance that threat actors can turn a single compromised update into full system access.