Introduction
State-sponsored attackers compromised Notepad++’s hosting infrastructure from June through December 2025, hijacking the application’s update mechanism to deliver malicious executables to selectively targeted users. The attack did not exploit a vulnerability in Notepad++ code itself but leveraged infrastructure-level access combined with insufficient update verification controls in the WinGUp updater. No CVE has been assigned. All users running versions prior to v8.8.9 who attempted updates during the compromise window should audit systems and update immediately.
Quick Overview
| Attribute | Details |
|---|---|
| CVE | None assigned (infrastructure compromise) |
| Severity | High (enables RCE via supply chain) |
| CWE | N/A – not a code vulnerability |
| Affected Products | Notepad++ (WinGUp updater component) |
| Affected Versions | All versions prior to v8.8.9 |
| Attack vector | Network (MitM via compromised infrastructure) |
| Authentication Required | None |
| Exploit Complexity | High (required infrastructure-level access) |
| User Interaction | Required (user triggers update check) |
| Active Exploitation | Yes – confirmed (June–December 2025) |
| PoC Available | N/A – infrastructure attack, not reproducible |
| CISA KEV | No |
| Fix Available | Yes – v8.8.9+ (recommend v8.9.1) |
What is WinGUp?
WinGUp (Windows Generic Update Program) is the built-in update mechanism for Notepad++. When users check for updates, WinGUp contacts notepad-plus-plus.org to retrieve an XML file containing download URLs, then downloads and executes the installer. Compromising this mechanism allows attackers to deliver arbitrary executables to users who trust the legitimate update process.
Technical Analysis
The attack exploited infrastructure-level compromise rather than a software vulnerability. According to the official disclosure from maintainer Don Ho, attackers compromised the shared hosting server where notepad-plus-plus.org was hosted. This allowed them to intercept and selectively redirect update traffic to attacker-controlled servers serving malicious update manifests.
The hosting provider’s incident response statement confirmed the server was directly compromised until September 2, 2025, when a kernel and firmware update severed direct access. However, attackers retained credentials to internal services until December 2, 2025, enabling continued traffic manipulation.
A fundamental weakness in WinGUp enabled the attack: prior to v8.8.9, the updater did not verify the certificate and signature of downloaded installers. Even though v8.8.7 introduced GlobalSign certificate signing and v8.8.8 restricted downloads to GitHub, the updater still did not enforce verification of the downloaded binary’s authenticity.
The attack was highly selective. The hosting provider confirmed attackers specifically searched for the notepad-plus-plus.org domain rather than broadly targeting all hosted clients. Only traffic from certain targeted users was redirected to malicious servers.
Attack Flow
- User running vulnerable Notepad++ version checks for updates
- WinGUp contacts notepad-plus-plus.org/update/getDownloadUrl.php
- Attackers intercept request and redirect targeted users to malicious server
- Malicious server returns update manifest pointing to attacker-controlled binary
- WinGUp downloads and executes malicious installer without verification
- Attacker achieves code execution with user privileges
Affected Versions
| Version | Status | Notes |
|---|---|---|
| < v8.8.7 | Vulnerable | Self-signed certificate, no proper verification |
| v8.8.7 | Vulnerable | GlobalSign cert added, but no installer verification |
| v8.8.8 | Vulnerable | Downloads from GitHub only, still no verification |
| v8.8.9+ | Fixed | Certificate and signature verification enforced |
| v8.9.1 | Current | Recommended (self-signed cert removed in v8.9) |
Threat Status
Exploitation Activity: Confirmed active exploitation from June through December 2, 2025. Kevin Beaumont reported hearing from “3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access.” Victims were telecommunications and financial services organizations in East Asia with “hands on keyboard” threat actor activity observed.
PoC Availability: Not applicable. This was an infrastructure-level attack requiring privileged access to hosting infrastructure, not a reproducible software exploit.
Attribution: Kevin Beaumont attributed the campaign to Zirconium (aka Violet Typhoon), a Chinese state-sponsored threat actor. The official Notepad++ disclosure states “multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group” without naming a specific group. This attribution should be treated as assessed with moderate confidence.
Why This Matters
Notepad++ is one of the most widely deployed text editors globally, particularly among developers and IT professionals. Its widespread use in enterprise environments made the update mechanism a high-value target for intelligence collection operations.
The six-month dwell time demonstrates the stealth of this operation. Users who updated during this period had no indication anything was wrong – the update process appeared completely normal. The selective targeting pattern suggests espionage rather than financial motivation, with attackers specifically pursuing organizations with East Asian business interests.
This incident follows similar supply chain patterns seen in SolarWinds (2020), ASUS ShadowHammer (2019), and CCleaner (2017), highlighting the persistent risk of software update mechanisms as attack vectors.
Remediation
Primary Action: Update to Notepad++ v8.9.1 immediately via manual download from the official website or GitHub releases.
| Situation | Action |
|---|---|
| Running version < v8.8.9 | Update to v8.9.1 via manual download |
| Updated during June–December 2025 | Audit system for compromise indicators, then update |
| Previously installed self-signed cert | Remove old Notepad++ root certificate from certificate store |
| Enterprise deployment | Consider centralized package management; block gup.exe network access |
Interim Mitigations (if immediate patching not possible):
- Block WinGUp (gup.exe) network access at firewall level
- Disable automatic updates in Notepad++ settings
- Monitor for gup.exe connecting to domains other than notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com
Post-Compromise Considerations
If your organization used Notepad++ with automatic updates enabled between June and December 2025:
- Review endpoint logs for gup.exe spawning unexpected child processes
- Check for
%Temp%\AutoUpdater.exeorupdate.exe - Look for evidence of:
cmd /c netstat -ano >> a.txt,systeminfo >> a.txt,tasklist >> a.txt,whoami >> a.txt - Review outbound connections to temp.sh or similar file-sharing services
Detection Guidance
Host-level indicators:
- gup.exe spawning processes other than explorer.exe and npp* themed installers
- Files named AutoUpdater.exe or update.exe in %TEMP% (Notepad++ does not use these names)
- Evidence of reconnaissance commands saving output to a.txt
- Execution of curl.exe from Notepad++ related processes
Network-level indicators:
- gup.exe connecting to domains other than notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com
- Outbound connections to temp.sh (IP: 51.91.79.17) or similar anonymous file-sharing services
How Can Orca Help?
The challenge for security teams isn’t awareness — it’s visibility and prioritization. Which cloud assets are actually running vulnerable Notepad++ versions? Which systems were active during the compromise window? And which of those assets are truly business-critical?
The Orca Cloud Security Platform helps customers identify assets running affected Notepad++ versions across their cloud environments and understand exposure context, including whether systems may have been active during the compromise window and the criticality of each asset. The News Item view highlights impacted assets directly, enabling security teams to prioritize investigation and remediation based on real risk rather than treating every vulnerable installation as equally urgent.
