Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest.
The version 8.9.2 update incorporates what maintainer Don Ho calls a “double lock” design that aims to make the update process “robust and effectively unexploitable.” This includes verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later), as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]org.
In addition to these enhancements, security-focused changes have been introduced to WinGUp, the auto-updater component –
- Removal of libcurl.dll to eliminate DLL side-loading risk
- Removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
- Restriction of plugin management execution to programs signed with the same certificate as WinGUp
The update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application.
“An Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path,” Ho said. “This may allow execution of a malicious explorer.exe if an attacker can control the process working directory. Under certain conditions, this could lead to arbitrary code execution in the context of the running application.”
The development comes weeks after Notepad++ disclosed that a breach at the hosting provider level enabled threat actors to hijack update traffic starting June 2025 and redirect requests from certain users to malicious servers to serve a poisoned update. The issue was detected in early December 2025.
According to Rapid7 and Kaspersky, the tampered updates enabled the attackers to deliver a previously undocumented backdoor dubbed Chrysalis. The supply chain incident, tracked under the CVE identifier CVE-2025-15556 (CVSS score: 7.7), has been attributed to a China-nexus hacking group called Lotus Panda.
The attack is assessed to have targeted individuals and organizations located in Vietnam, El Salvador, Australia, the Philippines, the U.S., South America, and Europe, spanning cloud hosting, energy, financial, government, manufacturing, and software development sectors, per data from Kaspersky and Palo Alto Networks Unit 42.
Notepad++ users are recommended to update to version 8.9.2, and make sure that the installers are downloaded from the official domain.
