Dopious
Senior Member
Founding Member
Sapphire Member
Patron
Hot Rod
Silver Star
Silver Star
Silver Star
Silver Star
Silver Star
Notepad++ has confirmed that its built-in update mechanism WinGUp was hijacked through selective traffic redirection for at least part of 2025. In some cases, update requests have been redirected to contain malicious code such as backdoors instead.
The attack exploited a weakness in how WinGUp validated what was downloaded. In older versions, certificates or digital signatures were not checked sufficiently before the update file was executed. The attackers also carefully selected their victims, partly to make detection more difficult but also to gain access to systems where China has an interest:
The Notepad++ development team has now released version 8.8.9 which includes a critical security enhancement where both the certificate and signature are verified before an updated file is executed. If the verification fails, the update is stopped completely. This prevents manipulated update files from being executed even if the traffic or the update server has been hijacked. In this particular case, it was a breach at the provider that hosted the update infrastructure that had been hacked.
This is an important reminder that the entire update chain is a critical attack surface that must be protected with strong authentication and verification. Update integrity checks are not just a technical detail but a prerequisite for more secure software updates.
Source: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
The attack exploited a weakness in how WinGUp validated what was downloaded. In older versions, certificates or digital signatures were not checked sufficiently before the update file was executed. The attackers also carefully selected their victims, partly to make detection more difficult but also to gain access to systems where China has an interest:
The Notepad++ development team has now released version 8.8.9 which includes a critical security enhancement where both the certificate and signature are verified before an updated file is executed. If the verification fails, the update is stopped completely. This prevents manipulated update files from being executed even if the traffic or the update server has been hijacked. In this particular case, it was a breach at the provider that hosted the update infrastructure that had been hacked.
This is an important reminder that the entire update chain is a critical attack surface that must be protected with strong authentication and verification. Update integrity checks are not just a technical detail but a prerequisite for more secure software updates.
Source: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
