Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 11 December 2025 17:18
Notepad++ is often targeted by attackers because the software is popular and widely used. A recently discovered vulnerability in the open-source text and code editor Notepad++ could allow attackers to hijack network traffic, hijack the update process, and install malware on affected computers . This flaw has now been fixed in Notepad++ version 8.8.9.
Users running older versions should immediately run a thorough scan with reputable security software. Their systems may already be compromised; in more severe cases, a complete reinstallation may be the only reliable solution.
According to the developers, the Notepad++ update utility, WinGUp, could, under certain circumstances , be redirected to a malicious server, resulting in the download of a malicious executable file that can infect the system.
During the update process, WinGUp checks the version number and queries the https://notepad-plus-plus.org/update/getDownloadUrl[.]php endpoint. This endpoint generates an XML file that includes the download URL, which the updater retrieves and executes from the %TEMP% directory. Any adversary capable of intercepting and modifying this traffic could alter the download URL, for example, replacing it with a link to a malicious payload.
Starting with version 8.8.7, Notepad++ has adopted a trusted GlobalSign digital certificate, eliminating the need for users to install a separate root certificate and significantly strengthening the application’s security.
Version 8.8.8 introduced the requirement that WinGUp use GitHub.com as the only download source, while the new version 8.8.9 further improves security by properly validating the downloaded file’s digital signature and certificate . If verification fails, the update process is aborted.
Developers have not yet determined exactly how the traffic hijacking occurred, and further investigation is ongoing. However, existing evidence suggests that attackers have already exploited the vulnerability against specific targeted organizations.
Users are strongly recommended to update to at least version 8.8.8, although a direct update to version 8.8.9 is preferred . Since version 8.8.8 cannot detect the latest version, users should manually download version 8.8.9 from the official website.
Redazione