Independent researcher Kevin Beaumont says three East Asia–linked organizations reported incidents where attackers gained hands‑on‑keyboard access by exploiting the Notepad++ updater. The vulnerability involved the GUP/WinGUP updater downloading and executing files from notepad-plus-plus.org (via gup.xml and %TEMP%) that could be redirected through ISP‑level TLS interception, and Beaumont’s December theory was later supported by Notepad++’s advisory. #NotepadPlusPlus #GUP
Keypoints
- Three organizations with East Asia interests reported hands‑on‑keyboard intrusions linked to devices running Notepad++.
- The Notepad++ updater (GUP/WinGUP) reports version to notepad-plus-plus.org and downloads a file specified in gup.xml, which is executed from %TEMP%.
- An attacker who can intercept or tamper with updater traffic (e.g., via ISP‑level TLS interception) can redirect downloads to malicious payloads.
- Earlier releases used HTTP or a self‑signed root certificate for signing, weakening tamper validation compared with a GlobalSign certificate.
- Kevin Beaumont published a working theory in December that was later corroborated by Notepad++’s advisory after the 8.8.8 update.