Overview
- Developers confirmed WinGUp traffic was occasionally redirected to malicious servers, causing compromised executables to run on some Windows PCs.
- Version 8.8.9 enforces code-signature and certificate checks for installers, building on 8.8.8’s shift to serve updates exclusively from GitHub.
- Users are instructed to download and install 8.8.9 directly, as the in-app updater and winget may not yet provide the hardened release.
- Researcher Kevin Beaumont published IOCs, including gup.exe contacting domains other than notepad-plus-plus.org, github.com or release-assets.githubusercontent.com, and unexpected TEMP files named update.exe or AutoUpdater.exe.
- Investigations are ongoing, with reports of at least three organizations with South Asia links being targeted and guidance to run updated antivirus scans.