The popular Notepad++ text editor has been hijacked to spread malware, due to a security vulnerability in the app’s update mechanism. If you have the app installed, make sure you have the latest version to stay safe.
Like many Windows applications, Notepad++ has a built-in updater that can download and install the latest version. It uses a framework called WinGUP to request download links from the Notepad++ website, but the updater did not check the file signature or perform other safety checks. That means if a computer’s network connection was compromised, the update request could be intercepted and replaced with a different executable file.
Security analyst Kevin Beaumont reported hearing from three organizations that noticed malware originating from the Notepad++ updater. The attacks primarily affected systems in east Asia, starting around two months ago.
Notepad++ 8.8.8 was released last month with a partial fix: the updater now always uses downloads from GitHub, which is more difficult for malware to intercept. Now, Notepad 8.8.9 has arrived with additional signature and certificate checks during the update process.
A new blog post explained, “The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. […] Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted.”
How to Install Notepad++ on Mac
Notepad++ is only designed for Windows, but it can run on Mac with a virtual machine or compatibility layer.
If you have Notepad++ installed, you should update to version 8.8.8, ideally using the installer on the official website or the official GitHub repository. Earlier versions are still using the compromised built-in updater, so that’s not the safest option. After you have Notepad 8.8.8 or later installed, you can safely use the built-in updater again.
This attack highlights a long-standing problem with Windows applications: there’s no universal system-level package manager, and third-party implementations aren’t always built to the same security and reliability standards. Windows 10 and Windows 11 have the Microsoft Store and WinGet, but they have their own limitations and aren’t available on the Windows 7/8 PCs that Notepad++ still supports.
You can download the latest Notepad++ release from the project’s official website. The built-in updater on previous versions isn’t compromised on all PCs, but you may as well stay on the safe side.
Source: Notepad++, DoublePulsar
