Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Notepad++ WinGUp update hijack security flaw

Vulnerability
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

Notepad++'s WinGUp updater had a security weakness that could let malicious executables replace legitimate update packages, creating an attacker-controlled update path for users. The issue was reported after incidents in which the updater fetched the wrong files, and one observed payload used the update process to run %Temp%\AutoUpdater.exe and collect device information. Notepad++ later hardened the updater in version 8.8.9, which now aborts updates that do not verify against the developer's code-signing certificate.

Related Happenings

Lotus Blossom Notepad++ updater compromise campaign

Campaign
First: 17.02.2026 20:29 Last: 17.02.2026 20:29 Sources 1

About this happening: The **Lotus Blossom** operation compromised the **Notepad++ updater** and **selectively redirected update requests** from specific users to malicious servers, creating a supply-ch...

Open Happening

Notepad++ hit by network compromise

Incident
First: 03.02.2026 06:55 Last: 03.02.2026 06:55 Sources 1

About this happening: The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...

Latest development: 18.02.2026 09:40

Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.

Open Happening

Timeline

  1. 11.12.2025 23:04 1 articles · 5mo ago

    Notepad++ 8.8.8 limits updates to GitHub

    Mitigation Patch Update

    Notepad++ developer Don Ho released version 8.8.8 to reduce exposure to potential network hijacks in the update path by allowing updates to be downloaded only from GitHub.

    Show sources
    Open in new tab
  2. 11.12.2025 23:04 1 articles · 5mo ago

    Notepad++ 8.8.9 adds signature and certificate checks

    Mitigation Patch Update

    Notepad++ version 8.8.9 hardened Notepad++ and WinGUp to verify the signature and certificate of downloaded installers during the update process, aborting any update that fails verification.

    Show sources
    Open in new tab
  3. 11.12.2025 23:04 2 articles · 5mo ago

    Users report Notepad++ WinGUp update hijack activity

    Initial Disclosure

    A Notepad++ community forum report said GUP.exe (WinGUp) spawned %Temp%\AutoUpdater.exe, which ran reconnaissance commands such as netstat -ano, systeminfo, tasklist, and whoami, stored the output in a.txt, and used curl.exe to exfiltrate the file to temp[.]sh. Kevin Beaumont separately said he had heard from 3 organizations with security incidents on boxes with Notepad++ installed, where Notepad++ processes appeared to provide initial access and the activity looked targeted, with victims later reporting hands-on reconnaissance and suspected update-traffic hijacking or malicious Notepad++ builds.

    Show sources
    Open in new tab