Security researchers recently uncovered a vulnerability in the open-source text and code editor Notepad++, allowing attackers in certain regions to hijack network traffic, poison the update process, and install malware on affected machines. The flaw has now been patched in Notepad++ v8.8.9.
Users who are running older versions and have attempted to update should immediately perform a thorough scan with robust security software. Their systems may already have been compromised; in severe cases, a full system reinstall may be the only reliable remedy. According to the developers, the Notepad++ update utility WinGUp could, under certain circumstances, be redirected to a malicious server, resulting in the download of a tampered executable capable of infecting the system.
During the update process, WinGUp checks the version number and queries: https://notepad-plus-plus.org/update/getDownloadUrl.php. This endpoint generates an XML file that includes the download URL, which the updater then retrieves and executes from the %TEMP% directory.
Any adversary capable of intercepting and modifying this traffic could alter the download URL—for instance, substituting it with a link to a malicious payload. Prior to version 8.8.7, Notepad++ relied on a self-signed certificate embedded in GitHub’s source code, making such tampering and redistribution feasible.
Beginning with v8.8.7, Notepad++ adopted a trusted GlobalSign digital certificate, eliminating the need for users to install a separate root certificate and substantially strengthening the application’s security posture. Version 8.8.8 introduced a requirement that WinGUp use GitHub.com as the sole download source, while the newly released v8.8.9 further enhances security by correctly validating the digital signature and certificate of the downloaded file. If verification fails, the update process is aborted.
The developers have not yet determined precisely how the traffic hijacking occurred, and further investigation is ongoing. However, existing evidence suggests that attackers have already exploited the vulnerability against specific targeted organizations.
Users are strongly advised to update to at least v8.8.8, though upgrading directly to v8.8.9 is preferable. Because v8.8.8 cannot detect the latest release, users should manually download v8.8.9 from the official website.