Notepad++ users targeted in supply chain attack through update mechanism
Take action: If you are using Notepad++, immediately update to version 8.8.9 or later by manually downloading from notepad-plus-plus.org. Don't use the auto-update feature until you're on this version. Enterprises should temporarily block gup.exe or notepad-plus-plus.org domain access until all systems are updated.
Learn More
A number of organizations using the popular Notepad++ text editor have fallen victim to a supply chain attack that exploited weaknesses in the application's update mechanism.
At least three organizations experienced security incidents where the Notepad++ updater process was compromised, leading to malware distribution and hands-on keyboard threat actor activity. The attacks began in mid-October 2025, targeted organizations with interests in East Asia.
The attack used a weakness in WinGUP, Notepad++'s bespoke software updater, which failed to properly validate the integrity and authenticity of downloaded update files. When users initiated software updates, WinGUP would send version information to notepad-plus-plus.org and retrieve an XML file containing download URLs for the latest version. Attackers positioned within the network infrastructure were able to intercept this traffic and redirect users to malicious servers hosting compromised executables instead of legitimate Notepad++ installers. Earlier versions of the updater communicated over unencrypted HTTP, and even HTTPS connections could potentially be intercepted through TLS interception at the ISP level. Some earlier Notepad++ versions used self-signed root certificates available on GitHub, making it easier for attackers to tamper with the download process without triggering security warnings.
Attack indicators and compromised systems showed:
- Malicious files named update.exe or AutoUpdater.exe in user TEMP folders
- Unusual gup.exe process spawns beyond the normal explorer.exe and legitimate Notepad++ installers
- Network connections from gup.exe to domains other than notepad-plus-plus.org, github.com, and release-assets.githubusercontent.com
- Use of curl.exe to perform reconnaissance activity, with connections to temp.sh
- Execution of binaries without valid GlobalSign digital signatures
The incident has not been assigned a CVE identifier, and the exact number of affected individuals beyond the three confirmed organizations is not disclosed.
Notepad++ developer Don Ho released multiple hardened versions. Version 8.8.8, released in November 2025, forced all updates to download exclusively from github.com, making interception significantly more difficult given GitHub's massive user base and robust security infrastructure. The most recent version, 8.8.9, released on December 9, 2025, implements comprehensive signature and certificate verification for all downloaded installers during the update process. If verification fails, the update is automatically aborted, preventing execution of unauthorized code. Starting with version 8.8.7, all Notepad++ binaries including installers are digitally signed using legitimate certificates issued by GlobalSign, eliminating the need for users to install the previous self-signed root certificate. Users who previously installed the Notepad++ root certificate are strongly advised to remove it from their systems.
Organizations and individual users should immediately update to Notepad++ version 8.8.9 or later, preferably by manually downloading the installer from the official notepad-plus-plus.org website rather than using the automatic update function. Enterprise environments that package and manage Notepad++ deployments should consider blocking internet access for the gup.exe process or the entire notepad-plus-plus.org domain until systems are updated.
