Notepad++ has launched a safety repair to plug gaps that have been exploited by a sophisticated risk actor from China to hijack the software program replace mechanism to selectively ship malware to targets of curiosity.
The model 8.9.2 replace incorporates what maintainer Don Ho calls a “double lock” design that goals to make the replace course of “strong and successfully unexploitable.” This contains verification of the signed installer downloaded from GitHub (carried out in model 8.8.9 and later), in addition to the newly added verification of the signed XML returned by the replace server at notepad-plus-plus[.]org.
Along with these enhancements, security-focused modifications have been launched to WinGUp, the auto-updater element –
- Elimination of libcurl.dll to remove DLL side-loading threat
- Elimination of two unsecured cURL SSL choices: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
- Restriction of plugin administration execution to applications signed with the identical certificates as WinGUp
The replace additionally addresses a high-severity vulnerability (CVE-2026-25926, CVSS rating: 7.3) that would end in arbitrary code execution within the context of the operating software.
“An Unsafe Search Path vulnerability (CWE-426) exists when launching Home windows Explorer with out an absolute executable path,” Ho stated. “This may occasionally enable execution of a malicious explorer.exe if an attacker can management the method working listing. Beneath sure circumstances, this might result in arbitrary code execution within the context of the operating software.”
The event comes weeks after Notepad++ disclosed {that a} breach on the internet hosting supplier degree enabled risk actors to hijack replace visitors beginning June 2025 and redirect requests from sure customers to malicious servers to serve a poisoned replace. The difficulty was detected in early December 2025.
Based on Rapid7 and Kaspersky, the tampered updates enabled the attackers to ship a beforehand undocumented backdoor dubbed Chrysalis. The provision chain incident, tracked below the CVE identifier CVE-2025-15556 (CVSS rating: 7.7), has been attributed to a China-nexus hacking group known as Lotus Panda.
The assault is assessed to have focused people and organizations positioned in Vietnam, El Salvador, Australia, the Philippines, the U.S., South America, and Europe, spanning cloud internet hosting, vitality, monetary, authorities, manufacturing, and software program improvement sectors, per knowledge from Kaspersky and Palo Alto Networks Unit 42.
Notepad++ customers are really useful to replace to model 8.9.2, and guarantee that the installers are downloaded from the official area.
