[SECURITY] Notepad++ File Detected as Trojan by Multiple AV Vendors #16779
Description
Is there an existing issue for this?
- I have searched the existing issues
Description of the Issue
Dear Notepad++ Developers,
I would like to report that the official Notepad++ release downloaded from the official site https://notepad-plus-plus.org appears to be flagged as malicious by multiple antivirus vendors.
File Information:
- SHA256: 49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf
- Source URL: https://notepad-plus-plus.org/downloads/v8.8.2
- Checked using: sha256sum on Kali Linux
- File name: npp.8.8.2.Installer.x64.exe
VirusTotal Report
https://www.virustotal.com/gui/file/49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf
- Detection Highlights:
- Cynet: Malicious (score: 99)
- GData: Win64.Trojan.Agent.WKXD0U
- Trellix ENS: Artemis!26B9167CC026
- Fortinet: W32/PossibleThreat
- MaxSecure: Trojan.Malware.susgen
- DeepInstinct: MALICIOUS
Please verify the integrity of the file, and if confirmed safe, consider reporting a false positive to antivirus vendors.
Best regards,
Aldrian Firmansyah Putranto
Cyber Threat Hunting
Steps To Reproduce
- Go to https://notepad-plus-plus.org/
- Download the official Notepad++ installer (npp.8.8.2.Installer.x64.exe)
- Run sha256sum on the file to verify its SHA-256 hash
- Result: 49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf
- Upload the hash to https://www.virustotal.com/
- Observe that multiple antivirus vendors detect the file as malicious
Current Behavior
The installer file downloaded from the official Notepad++ website is detected as malware/trojan by multiple antivirus engines on VirusTotal, including Fortinet, Cynet, GData, Trellix, and others.
Expected Behavior
The official Notepad++ installer should not be detected as malicious by any reputable antivirus engine, assuming it is clean and unmodified.
Debug Information
- Operating System used for verification: Kali Linux (latest)
- Tool used: sha256sum, VirusTotal
- SHA-256: 49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf
- VirusTotal link: https://www.virustotal.com/gui/file/49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cfAnything else?
This detection may be due to:
- A possible supply chain compromise
- A malicious file uploaded by a third party
- Or a rare widespread false positive across multiple AV engines
Please investigate this as a high-priority security concern. I am available to provide the sample or any other forensic data needed.
Thank you for your dedication to open-source software and security.