Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Breac...
Notepad++ update co...
 
Notifications
Clear all

Notepad++ update compromise: what IAM teams should rethink now

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 4368
Topic starter 10/06/2026 11:49 pm  

TL;DR: State-sponsored attackers compromised Notepad++ hosting for six months and used the WinGUp updater to selectively deliver malicious executables, according to Orca Security. The incident shows that update trust collapses when infrastructure control and binary verification are both weak, making supply chain identity and integrity checks operationally mandatory.

NHIMG editorial — based on content published by Orca Security: the Notepad++ update compromise and WinGUp attack analysis

Questions worth separating out

Q: What breaks when software update channels are hijacked?

A: The trust model breaks before the endpoint does.

Q: Why do trusted update mechanisms create such a large security risk?

A: Because they combine privilege, repeatability, and user trust.

Q: How can security teams detect malicious update redirection in practice?

A: Look for updater processes connecting to unexpected domains, spawning unusual child processes, or retrieving installers that do not match the normal distribution pattern.

Practitioner guidance

  • Audit affected-version exposure across endpoints Identify every Notepad++ installation older than v8.8.9, then isolate systems that checked for updates during the June to December 2025 compromise window.
  • Block untrusted updater network paths Restrict gup.exe from reaching any destination other than the expected update and release endpoints, and flag unexpected child processes spawned during update checks.
  • Enforce installer authenticity verification Require certificate and signature validation before any downloaded installer is executed, and do not rely on transport security alone.

What's in the full article

Orca Security's full analysis covers the operational detail this post intentionally leaves for the source:

  • Exact affected version breakdown from v8.8.7 through v8.9.1 and the corresponding trust changes
  • Host and network detection guidance for gup.exe, AutoUpdater.exe, and update.exe artefacts
  • Post-compromise log review steps for reconnaissance commands and suspicious outbound destinations
  • Interim mitigation options for organisations that cannot patch immediately

👉 Read Orca Security's analysis of the Notepad++ update compromise →

Notepad++ update compromise: what IAM teams should rethink now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
orca-security supply-chain-risk machine-identity update-security credential-exposure
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  orca-security (91) , supply-chain-risk (22) , machine-identity (53) , update-security (1) , credential-exposure (13) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.