Developers of the widely-used text editor Notepad++ are urging all users to update their software immediately following the discovery of an active campaign where hackers compromised the application’s own update mechanism.
The vulnerability, now patched in version 8.8.9, allowed threat actors to hijack the automatic updater. This enabled them to serve malicious versions of the software to unsuspecting users. The Notepad++ team advises users on versions prior to 8.8.9 to avoid using the built-in updater entirely. Instead, they should manually download and install the latest version directly from the official Notepad++ website.
Cybersecurity researcher Kevin Beaumont reports that multiple organizations have recently been breached through tainted Notepad++ updates. The developers later confirmed that the incident stemmed from a serious weakness in the software’s update system.
Notepad++ uses a separate tool called WinGUP to handle updates, and it grabs a small file from the project’s site to find the latest download link. Hackers exploited the low traffic to the site, intercepted that connection, and swapped the real link with one of their own, letting them install a malicious version without raising much attention.
Early findings suggest the attackers focused their efforts on a small set of organizations based in several Asian countries.
The latest Notepad++ release, version 8.8.9, fixes the issue by hard-coding the update link to GitHub. With GitHub’s heavy, encrypted traffic, attempts to intercept or alter downloads become far more difficult for attackers.
The update also clears up a long-standing security oddity. Starting with version 8.8.7, Notepad++ now signs its installers with a valid GlobalSign certificate, eliminating the need for the old custom root certificate. The developers advise anyone who previously installed that certificate to remove it.
Notepad++ has stayed popular with developers, writers, and power users because it’s fast, light, and easy to tailor. It may look simple, but it packs a ton of features, including syntax highlighting for all kinds of languages, tabs, plugins, and plenty of customization options.
The situation shows that even trusted open-source tools aren’t immune to problems. Notepad++ is already competing with things like Sublime Text and the more demanding Visual Studio Code, and now Microsoft is piling new features, tabs, rich text, and Copilot into Windows Notepad. For some people, that takes away the simplicity they’ve always counted on.
At this point, users should manually update to Notepad++ 8.8.9 to make sure they’re using a clean and secure release.
Maybe you would like other interesting articles?