it

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware

Published: (February 18, 2026 at 02:40 AM EST)
2 min read
Source: The Hacker News

Source: The Hacker News

Notepad++ update hijack

Overview

Notepad++ has released a security fix that addresses gaps exploited by an advanced threat actor from China. The attacker hijacked the software’s update mechanism to deliver targeted malware to specific users.

The fix is included in version 8.9.2 and introduces a “double lock” design that makes the update process robust and effectively unexploitable. This design verifies both the signed installer downloaded from GitHub (implemented in version 8.8.9 and later) and the signed XML returned by the update server at notepad-plus-plus.org.

Update Details

  • Verification improvements
    • Signed installer verification (since v8.8.9)
    • New verification of the signed XML from the update server
  • WinGUp (auto‑updater) hardening
    • Removal of libcurl.dll to eliminate DLL side‑loading risk
    • Removal of two insecure cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
    • Restriction of plugin‑management execution to programs signed with the same certificate as WinGUp

Gartner image

Vulnerability Details

The update also patches a high‑severity vulnerability:

  • CVE‑2026‑25926 – CVSS 7.3
    An unsafe search‑path vulnerability (CWE‑426) occurs when launching Windows Explorer without an absolute executable path. An attacker who can control the process working directory could cause execution of a malicious explorer.exe, potentially leading to arbitrary code execution in the context of the running application.
    Source: GitHub advisory

Supply‑Chain Incident Background

  • Timeline:

    • June 2025 – Threat actors began hijacking Notepad++ update traffic.
    • Early December 2025 – The breach was detected.

  • Impact:
    Attackers redirected update requests for certain users to malicious servers, delivering a poisoned update that installed an undocumented backdoor named Chrysalis.

  • Attribution:
    The supply‑chain attack is tracked under CVE‑2025‑15556 (CVSS 7.7) and has been linked to the China‑based hacking group Lotus Panda.
    References:

Recommendations

  • Update to Notepad++ 8.9.2 immediately.
  • Verify that installers are downloaded from the official Notepad++ domain (notepad-plus-plus.org).

Tags: Application Security, cybersecurity, Malware, software security, supply chain attack, Vulnerability

0 views
#Notepad++ #security update #malware #update hijack #vulnerability #software security #Chinese threat actor #version 8.9.2
View source
Share:
Back to Blog

Related posts

Read more »