Recent Notepad++ releases address a vulnerability that has allowed threat actors to hijack the free source code editor’s updater. 

Security researcher Kevin Beaumont reported in early December that a handful of organizations using Notepad++ had reported experiencing security incidents involving the code editor.

Beaumont said in an update this week that the attacks appeared to have been carried out by threat actors in China, with the attackers leveraging a Notepad++ vulnerability for initial access to the systems of telecoms and financial services firms in East Asia.

Notepad++ developers seem to have known about issues with the updater since at least mid-November, when version 8.8.8 release notes mentioned a security enhancement designed to prevent the application’s updater from being hijacked.

In a post published this week to announce the release of version 8.8.9, Notepad++ confirmed that traffic from the updater (WinGUp) was in some cases redirected to malicious servers, which resulted in compromised executable files being downloaded to the victim’s system.

Notepad++ developers’ investigation led to the discovery of a flaw in the way the updater validates the authenticity and integrity of update files.