Notepad++ has released a security fix to fill the gap that advanced Chinese threat actors have exploited to hijack software update mechanisms and selectively deliver malware to intended targets.
The version 8.9.2 update incorporates what maintainer Don Ho calls a “double lock” design, which aims to make the update process “robust and virtually unexploitable.” This includes validation of signed installers downloaded from GitHub (implemented since version 8.8.9) and newly added validation of signed XML returned from the notepad-plus-plus update server.[.]organization.
In addition to these enhancements, we have introduced security-focused changes to our automatic updater component, WinGUp.
Removed libcurl.dll to eliminate the risk of DLL sideloading Removed two insecure cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE Restricted plugin management to programs signed with the same certificate as WinGUp
This update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could allow arbitrary code execution in the context of a running application.
“An insecure search path vulnerability (CWE-426) exists when Windows Explorer is started without specifying an absolute executable path,” Ho said. “This could allow the execution of a malicious explorer.exe if an attacker can control the process’s working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application.”
This development comes weeks after Notepad++ revealed that a breach at the hosting provider level allowed attackers to hijack update traffic starting in June 2025 and redirect requests from certain users to malicious servers to serve harmful updates. This issue was detected in early December 2025.
According to Rapid7 and Kaspersky, the modified update allowed attackers to deliver a previously undocumented backdoor called “Chrysalis.” This supply chain incident, tracked with CVE identifier CVE-2025-15556 (CVSS score: 7.7), is believed to be the work of a Chinese-aligned hacking group called Lotus Panda.
Notepad++ users are advised to update to version 8.9.2 and ensure that the installer is downloaded from the official domain.
Source link
