tl;dr A network operator can perform a MitM attack on the built-in updater's call-out checking for updates by faking the Notepad++ update website, telling it a new version is available at and then downloading and running the malware

It requires a malicious network operator, or preexisting malware on the host.

https://notepad-plus-plus.org/news/v889-released/

Since you have to opt into tracking to read the article (which I think is illegal) here's the source.

we share data with our 188 partners

That’s a no from me dawg

The updater integrated into Notepad++ has allowed itself to be infiltrated by malware, which has been installed on some PCs. The developer of the powerful open-source text editor is responding with an update to Notepad++ v8.8.9. Users currently have to perform the update manually.

In a news post on the Notepad++ website, developer Don Ho explains that "some security experts have reported incidents where internet traffic affecting Notepad++ was intercepted." According to the post, investigations have revealed that traffic from the Notepad++ updater WinGUp "was occasionally redirected to malicious servers, leading to the download of compromised executable files." IT security researcher Kevin Beaumont reports that at least three organizations "with interests in South Asia" have been targeted in this way.

As Beaumont explains, the updater uses a version check that queries the URL "https://notepad-plus-plus.org/update/getDownloadUrl.php" and evaluates an XML file delivered through it. The updater uses the download URL listed in the XML file, saves the file in the %TEMP% folder, and executes it. Anyone who can intercept and manipulate this traffic can therefore change the download URL. Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary.

Remedy through updates

With Notepad++ v8.8.8, the WinGUp updater now forces github.com as the download source. Version 8.8.9, released overnight on Wednesday, further hardens Notepad++ and WinGUp so that they correctly check the signature and certificates of downloaded installers during the update process. If the check fails, the update process is aborted. Don Ho notes that investigations are ongoing to determine how the traffic hijacking occurred in the observed cases.

Kevin Beaumont also lists some indicators of compromise (IOCs). For example, connections from "gup.exe" to URLs other than "notepad-plus-plus.org", "github.com", and "release-assets.githubusercontent.com" are suspicious. Likewise, attention should be paid if "gup.exe" starts unusual processes – only "explorer.exe" and "npp*" related Notepad++ installers should run under it, which since versions 8.8.8 are also signed with a GlobalSign certificate. After the observed attacks, files named "update.exe" or "AutoUpdater.exe" (Notepad++ itself does not use these names at all) were apparently also found in the user's TEMP directory, from which "gup.exe" downloaded and executed the updaters.

Notepad++ v8.8.8 currently does not find the update.

Beaumont recommends updating to at least Notepad++ v8.8.8. However, version 8.8.9 is even further hardened. The integrated updater from Notepad++ v8.8.8 does not yet find the update, and "winget" also does not currently find a newer software version. However, the latest version is available as a manual download on the Notepad++ website.

Notepad++ is frequently targeted by malicious actors because the software is popular and widely used. Last year, for example, Don Ho asked for help to get rid of a "parasitic website" that was creeping into the original Notepad++ site in Google search results. It had unscrupulous intentions. In general, fake sites often appear in search results offering virus-infected files.

(dmk)

This article was originally published inGerman. It was translated with technical assistance and editorially reviewed before publication.

Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code.

That doesn't sound wise.

Not accessible without accepting advertising cookies, like Healthline.

Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary – if such a warning pops up, users should be alarmed.

I don't understand how this is relevant. Unless the attacker has either

(a) somehow acquired the private key of the cert

(b) replaced the cert delivered through the installer

A self signed cert isn't any worse. Both of these attack vectors still work with a public root CA. Or maybe notepad++ just forgot to validate the self signed cert against the one they delivered through their sources, just accepting any non-expired cert? That's just a bug.

I don't get how this was exploited in practise.

Even if the signatures on the downloaded packages weren't checked properly, how would you modify the content of the XML file returned from https://notepad-plus-plus.org/update/getDownloadUrl.php?version=8.8.0 ? For that you'd have to break or MITM the TLS too, no?

The usual case for TLS MITM is when a company decides DPI is more important than E2E encryption and they terminate all TLS on the firewall, but if the firewall is compromised there would be much easier avenues of entry other than notepad++

https://archive.is/uCWNB

This isn't the first time Notepad++ was compromised. if I recall correctly, the first time was by a CIA backdoor.

https://notepad-plus-plus.org/news/v733-fix-cia-hacking-npp-issue/

It's a bit concerning that neither the article or Notepad++s blog post say what the affected version is, or what the minimum safe version is.

I'm assuming the minimum version is 8.8.7 since that's when they moved away from self signed certs, but it would be nice to hear it from the horse's mouth.

I just updated through Ninite and it went to 8.8.9.

The updater for the open-source editor Notepad++ has installed malware on WINDOWS PCs. The Linux ecosystem doesn't allow for this kind of network attack because of signing.

I have it installed in Wine, I haven't updated it in months though.

Huh. Notepad++ is only for Windows?

I used to use EditPad when I used Windows. There was something that royally pissed me off about it, but I can't recall now. I know there was kind of a shenanigans with the name. EditPad Lite was free and there was an EditPad Pro, but IIRC the free one was just fine for most people (and I do believe in paying for software you enjoy using). I dunno, it did something, but now, mostly I just remember it being very good.

I have a Mac now and we have TextEdit. It's never made me want more from a notepad app. Notepad used to suck in Windows. We have it at work and I quite like it. It has Markdown support, but you can disable that if you want. It also has Copilot AI in it, but that can also be disabled. It has Dark Mode which is pretty much all I wanted from my notepad app. I actually quite like my Windows 11 setup at work, but I like my Macs at home a bit better. I also know I don't have much room to criticise Windows if I'm not running Linux, and there's no point in bragging about Linux from a Mint or Ubuntu installation; these days you kinda have to use Arch (which you built from source) to really call yourself a Linux user. The rest of us are just plebeians.

Of course if you're using N++ as an IDE, that's different. I don't even want line numbers (visual distraction).