The WinGUp updater compromise is a textbook example of why update mechanisms are such high-value targets. Attackers get code execution on machines that specifically trust the update channel.
What's concerning is the 6-month window. Supply chain attacks are difficult to detect because the malicious code runs with full user permissions from a "trusted" source. Most endpoint protection isn't designed to flag software from a legitimate publisher's update infrastructure.
For organizations, this argues for staged rollouts and network monitoring for unexpected outbound connections from common applications. For individuals, package managers with cryptographic verification at least add another barrier - though obviously not bulletproof either.
ashishbyesterday at 11:29 PM
I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I'm running that tool in.
There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.
indigodaddytoday at 1:02 AM
So if one were theoretically infected right now, would a Malwarebytes scan indicate as such?
I'm out of the loop: How did they bypass Notepad++'s digital signatures? I just downloaded it to double-check, and the installer is signed with a valid code-signing certificate.
yodontoday at 12:52 AM
Is there a "detect infection and clean it up" app from a reputable source yet (beyond the "version 8.8.8 is bad" designator)?
troadyesterday at 11:25 PM
It now seems to be best practice to simultaneously keep things updated (to avoid newly discovered vulnerabilities), but also not update them too much (to avoid supply chain attacks). Honestly not sure how I'm meant to action those at the same time.
Naive question, but isn't this relatively safe information to expose for this level of attack? I guess the idea is to find systems vulnerable to 0-day exploits and similar based on this info? Still, that seems like a lot of effort just to get this data.
Erlangentoday at 12:06 AM
> Notably, the first scan of this URL on the VirusTotal platform occurred in late September, by a user from Taiwan.
Could this be the attacker? The scan happened before the hack was first exposed on the forum.
poriseyesterday at 11:38 PM
I guess package managers win in the end. I got two emails from my IT department in the last year telling me to immediately update it.
tonymetyesterday at 11:42 PM
I noticed I had version 8.9 on Dec 28, 2025 and it seems clean according to
I recommend removing notepad++ and installing via winget which installs the EXE directly without the winGUP updater service.
Here's an AI summary explaining who is affected.
Affected Versions: All versions of Notepad++ released prior to version 8.8.9 are considered potentially affected if an update was initiated during the compromise window.
Compromise Window: Between June 2025 and December 2, 2025.
Specific Risk: Users running older versions that utilized the WinGUp update tool were vulnerable to being redirected to malicious servers. These servers delivered trojanized installers containing a custom backdoor dubbed Chrysalis.
bluenose69yesterday at 11:29 PM
The article starts out by saying that Notepad++ "is a text editor popular among developers". Really?