{"id":128160,"date":"2025-12-16T00:13:05","date_gmt":"2025-12-15T18:43:05","guid":{"rendered":"https:\/\/www.techworm.net\/?p=128160"},"modified":"2025-12-16T00:13:05","modified_gmt":"2025-12-15T18:43:05","slug":"notepad-fixes-major-update-flaw-that-let-attackers-push-malware","status":"publish","type":"post","link":"https:\/\/www.techworm.net\/2025\/12\/notepad-fixes-major-update-flaw-that-let-attackers-push-malware.html","title":{"rendered":"Notepad++ Fixes Major Update Flaw That Let Attackers Push Malware"},"content":{"rendered":"

Notepad++, one of the most widely used text editors on Windows, has rolled out version 8.8.9 to patch a serious security flaw that allowed attackers to hijack its update process and push malicious update files to unsuspecting users.<\/p>\n

Users Spot Suspicious Update Behavior<\/strong><\/p>\n

The issue came to light when a user on the Notepad++ community forum noticed that Notepad++\u2019s updater, WinGUp<\/em>, launched a suspicious file called AutoUpdater.exe <\/em>from the system\u2019s Temp folder. The file quietly executed a series of system-reconnaissance commands, gathering system details such as running tasks, network information, and user data, and storing the output in a file called a.txt<\/em>.<\/p>\n

Moments later, the malware used a curl command to upload that data to temp.sh<\/em>, a service known for hosting files used in past malware campaigns.<\/p>\n

These actions were a red flag because WinGUp doesn\u2019t collect such data, nor does it use the regular Windows curl.exe program. This raised early suspicions among users that either a fake Notepad++ installation had been downloaded or that\u00a0the program\u2019s update traffic had been hijacked.<\/p>\n

Security Researcher Links Multiple Incidents<\/strong><\/p>\n

Soon after, more reports surfaced \u2014 this time from security expert Kevin Beaumont, who heard from three separate organizations in East Asia that had experienced similar compromise originating from Notepad++ processes.<\/p>\n

According to Beaumont, in each case, Notepad++ processes appeared to be the entry point for threat actors who later carried out hands-on activity inside the victims\u2019 networks.<\/p>\n

How The Attack Worked<\/strong><\/p>\n

Notepad++ periodically checks for updates by contacting a URL that returns XML data containing the latest version and the corresponding download link to the latest installer. If attackers intercept this traffic and modify the <Location<\/em>> tag in the XML, the updater will fetch a file from any destination they choose.<\/p>\n

Researchers believe attackers intercepted Notepad++\u2019s update traffic and swapped the legitimate download link with a malicious one \u2014 an attack made possible because older versions of WinGUp didn\u2019t verify file signatures or certificates. As a result, the rogue installer was treated as a normal update and executed without warning.<\/p>\n

Beaumont noted that while large-scale hijacking is difficult, targeted interception \u2014 especially within specific regions or industries or ISPs \u2014 is entirely feasible.\u00a0<\/strong><\/p>\n

Notepad++\u2019s Response<\/strong><\/p>\n

To address the issue, Notepad++ developer Don Ho released:\u00a0<\/strong><\/p>\n