A critical security flaw has been identified in the Notepad++ WinGUp updater that allowed attackers to intercept and redirect update traffic, causing users to unknowingly download and execute malicious installers disguised as official Notepad++ updates.

Affected Systems

• Notepad++ versions prior to 8.8.9

Security Risks

Exploitation of this vulnerability allows attackers to hijack the update process, install malicious files, and access system information, potentially leading to immediate system compromise and unauthorized activity.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends the following actions:

• Manually update to Notepad++ version 8.8.9 from the official website: https://notepad-plus-plus.org/downloads/

• Verify the installer is signed by GlobalSign and shows “This digital signature is OK” in Windows.

• Only download and run installers from official sources; avoid unofficial websites or third-party downloads.

• Remove any old Notepad++ self-signed certificates from your system certificate store to ensure only trusted signatures are used.

• Check the updater and TEMP folder for unusual files:

• Legitimate updates are handled automatically by WinGUp.exe and the official installer.

• Do not open any unexpected files such as update.exe or AutoUpdater.exe, as these are not part of Notepad++ and may be malicious.

• Monitoring ensures only trusted update files run and provides early warning of any tampering.

• Backup important files before updating to prevent potential data loss.

• For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• https://cybersecuritynews.com/notepad-vulnerability-exploited/

• Download Notepad++ v8.8.9: vulnerability-fix

• Notepad++ fixes flaw that let attackers push malicious update files