Do Notepad++ Plugins Expose Users to Cyber Threats?

Notepad++ — one of Windows's best open-source text editors — is a widely used tool for many programmers, IT professionals, and tech developers. The application supports many coding languages and can automate many IT and development-related tasks. Learning to use Notepad++ on Windows is a valuable skill, but it does come with some potential drawbacks.

The tool has support for macros and a robust architecture for plugins. With these plugins, you can add various new features to Notepad++ to help users complete projects. However, discussions about these plugins are circulating, with some Windows users reporting using them makes it easier for cybercriminals to infiltrate systems.

Is this true? How can users protect themselves and still get the most out of Notepad++? How can you protect yourself while using Notepad++ and its plugins?

What are Notepad++ plugins?

In simple terms, Notepad++ plugins are software components integrated into Notepad++, which are responsible for adding specific features and functionality to the program. Notepad++ has 10 native plugins but more than 140 compatible plugins developed specifically for it. The original Notepad++ plugin was called “TextFX” and included W3C validation for CSS and HTML, quote handling, character case alteration, and text sorting.

Some of include:

• NPPExport
• Spell Checker
• To Compare
• Multi-Clipboard
• Preview HTML
• Explorer

Users can take advantage of these Notepad++ plugins and others to benefit from more customization options.

Why Notepad++ plugins increase cybersecurity risk

As technology evolves and more people spend time online, cybersecurity becomes more of a concern. People now work, attend school and speak with healthcare providers online. For example, U.S. Census Bureau data states had one child participating in online learning in August 2020.

The number of hacks bloomed after COVID-19 shutdowns occurred. Because kids and employees began working from home — without access to an IT department — many exposed their organizations to breaches. One way was through unverified plugins.

Various recently published articles claim using Notepad++ plugins can expose users to cybersecurity risks. Since Notepad++ is a basic code editor, it's no surprise cybercriminals will find their targets through this potential attack surface.

According to software company Cybereason, hackers can use Notepad++ plugins in the program. A security researcher who goes by the name RastaMouse demonstrated the vulnerability in an open-source project called Notepad++ Plugin Pack. They found cybercriminals can build a malicious plugin and launch an advanced persistent threat (APT) attack on a victim’s machine.

APT attacks are prolonged in nature and for long periods without being detected. Some APT groups like StrongPity — also known as APT-C-41 or Promethium — have already abused Notepad++ plugins to target victims with malware.

Some locally installed Notepad++ plugins lack verification requirements. According to Cybereason, this makes it easier for threat actors with local administrator privileges in the loading process.

How to protect yourself while using Notepad++

If you use Notepad++ and its plugins, be sure to follow the tips below to protect yourself from a potential APT attack.

Use anti-malware software and consider investing in detection and prevention solutions to maintain strong cybersecurity.

Identify legitimate Notepad++ plugins and exclude them from detection or prevention.

Monitor the network for new files created in the %PROGRAMFILES%\Notepad++\plugins\ directory.

Monitor unusual child processes of Notepad++.

Pay attention to shell product types.

If you think you’ve downloaded a malicious plugin, check for these three files in a folder called “Windows Data”:

npp.8.1.7.Installer.x64.exe: The original Notepad++ installation file under C:\Users\Username\AppData\Local\Temp\ folder.

winpickr.exe: A malicious file under C:\Windows\System32 folder

ntuis32.exe: A keylogger under C:\ProgramData\Microsoft\WindowsData folder

Another way to protect yourself is to understand what indicators of compromise exist for malicious plugins on Notepad++. Here :

Npp_Persistence_Plugin.dll - SHA256: 90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF

Avoid downloading malicious Notepad++ plugins

Cybercriminals are becoming more sophisticated in their attack methods, but these APT groups have exploited Notepad++ plugins in the past. Users must be careful downloading any plugins from Notepad++ to avoid becoming the next victim of a malware attack. Consider the tips above to protect yourself if you use Notepad++ and its plugins.

Sources: