Notepad++ has rolled out a critical security update, version 8.9.2, to address vulnerabilities that allowed a sophisticated Chinese threat actor to compromise its software update mechanism. This attack enabled the malicious actors to selectively distribute malware to targeted users, highlighting a significant risk to application security.
The update introduces a new “double lock” system designed to bolster the integrity of the software update process and prevent future exploitation. This enhanced security posture includes verifying the digital signature of installers downloaded from GitHub, a feature first implemented in version 8.8.9, and now adds verification for the signed XML files received from the official update server at notepad-plus-plus[.]org.
Notepad++ Security Enhancements Address Past Exploits
The recent security fix for Notepad++ follows a disclosure in late 2025 that a breach at a hosting provider level allowed attackers to intercept and manipulate update traffic. This tactic enabled threat actors, identified by security researchers at Rapid7 and Kaspersky as likely belonging to the China-nexus hacking group Lotus Panda, to redirect unsuspecting users to malicious servers. These servers then delivered compromised “poisoned” updates.
As a result of these findings, the security of the WinGUp auto-updater component has been significantly reinforced. The latest update involves the removal of `libcurl.dll` to mitigate the risk of DLL side-loading attacks. Furthermore, two previously unsecured cURL SSL options, `CURLSSLOPT_ALLOW_BEAST` and `CURLSSLOPT_NO_REVOKE`, have been removed, and the execution of plugin management is now restricted to programs signed with the same certificate as WinGUp.
This proactive approach to patching vulnerabilities underscores the ongoing battle against advanced persistent threats (APTs) and the importance of robust supply chain security for widely used software. The successful exploitation of Notepad++’s update mechanism by Lotus Panda serves as a stark reminder of how sophisticated threat actors can target popular applications to achieve their objectives.
Addressing Critical Vulnerabilities
In addition to fortifying the update process, version 8.9.2 of Notepad++ also resolves a high-severity vulnerability, cataloged as CVE-2026-25926 with a CVSS score of 7.3. This flaw could have led to arbitrary code execution within the context of the running Notepad++ application.
Maintainer Don Ho explained that “An Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path.” This condition, under specific circumstances and if an attacker could control the application’s working directory, could allow for the execution of a malicious `explorer.exe`, ultimately leading to unauthorized code execution.
The tampered updates delivered via the compromised Notepad++ update mechanism were used to deploy a previously undocumented backdoor known as Chrysalis. This supply chain incident, tracked as CVE-2025-15556 with a CVSS score of 7.7, demonstrated the attackers’ ability to leverage trusted software delivery channels for malicious purposes.
Users of Notepad++ are strongly advised to update to version 8.9.2 immediately. It is also crucial to ensure that all downloaded installers originate from the official Notepad++ domain to prevent falling victim to similar attacks in the future. The ongoing efforts by the Notepad++ team to secure their software reflect a commitment to user safety in an increasingly complex threat landscape.