Securing Systems Following the Notepad++ Update Server Hijacking
If you’ve clicked "Update" on Notepad++ in the last 48 hours, your system might already be compromised. What started as a standard software maintenance task has spiraled into a high-stakes supply chain attack. Threat actors successfully hijacked the application's automatic update server, weaponizing the trust of millions of developers to deliver malicious payloads instead of code fixes.
This breach, tracked under CVE-2025-49144 and CVE-2025-56383, provides a backdoor for remote code execution and privilege escalation. The community first flagged the anomaly on GitHub after users noticed the updater fetching files from suspicious domains. While the developer, Don Ho, moved quickly to pivot infrastructure to GitHub, the damage to the legacy update chain is done. If you have Notepad++ installed, you need to manually intervene. Now.
The vulnerability targets WinGUP (GUP), the updater component. In versions prior to 8.8.9, the updater relies on a vulnerable XML file to determine where to fetch software updates. Attackers intercepted this traffic, swapping the legitimate "Location" property with a URL pointing to their own malicious servers. To fix this, you must bypass the software’s internal logic and perform a manual transition to version 8.8.9.
Immediate Manual Remediation and Installation
Step 1: Secure Manual Download
notepad-plus-plus.org. Avoid third-party mirror sites and stay away from search engine ads; attackers are currently bidding on keywords to catch users looking for a fix. Download the installer for version 8.8.9 or later. This version hard-codes the update URL to GitHub’s infrastructure, effectively killing the redirection vector.WARNING: If you see an update prompt while browsing the official site that looks like a "browser update," close it immediately. This is a common social engineering tactic used alongside the server breach.
Step 2: Don't skip the signature check—here's why.
Step 3: Remove the Legacy Root Certificate
In 2025, some temporary "fixes" suggested users manually install a custom Notepad++ root certificate. This was a mistake. It’s now an unnecessary security risk.
-
Open Windows Certificate Manager (
certmgr.msc). -
Search for any Notepad++-specific root certificates you manually added.
-
Delete them.
Version 8.8.9 uses standard, secure certificate chains. Custom certificates only broaden your attack surface.
Post-Update System Auditing
An update is not a clean slate. If you were compromised before the patch, the malware is already there. You must audit your system for indicators of compromise (IoCs).
Auditing the Updater Component
gup.exe in the installation directory. Under normal operation, it should only talk to notepad-plus-plus.org or github.com.PRO-TIP: Use PowerShell or your firewall logs to check for recent connections. Ifgup.exehas connected to any unfamiliar IP addresses in the last 72 hours, assume the system is tainted.
Cleaning Temporary Directories
%TEMP% before running them. Look for update.exe or AutoUpdater.exe. If these files exist and were modified by gup.exe, they are highly suspicious. Specifically, keep an eye out for curl.exe calling out to temp.sh. This is a signature of the reconnaissance script currently being used in this campaign to exfiltrate system metadata.Inspecting for Proxy DLLs
plugins directory. Attackers are using "DLL side-loading" to stay hidden. They drop a malicious DLL that shares a name with a legitimate plugin. The application loads it, and the malware runs in the background while the text editor appears to work perfectly. If you see a DLL you didn’t install, or if a file date looks out of place, flag it.Hardening the Environment for Enterprise Use
Manual fixes don't scale. If you're managing a fleet of machines, you need structural changes to prevent the next supply chain incident from gaining a foothold.
Restricting Plugin Folder Permissions
C:\Program Files\Notepad++\plugins\ so that only Administrators and SYSTEM have write permissions. This stops a standard user-context process from being used to drop malicious DLLs.Implementing Application Control
notepad++.exe to load DLLs signed by the verified vendor. This effectively kills the proxy DLL attack vector—if the library isn't signed by GlobalSign, the system won't load it.Centralizing Updates and Blocking GUP
NOUPDATER=1 flag. Use Group Policy to block gup.exe from accessing the internet entirely. Push verified, hash-checked updates through SCCM or Intune. This moves the "trust" from a public server to your internal vetting process.The Bottom Line
Trust is a vulnerability. The Notepad++ breach proves that even the most ubiquitous tools can be turned against us. Moving forward, the "passive trust" model of automatic updates is no longer viable for high-security environments. By manually jumping to version 8.8.9, aggressively verifying signatures, and locking down the plugins folder, you aren't just fixing a bug—you're hardening your workflow against the next inevitable hijacking attempt. Verify everything. Trust nothing.