Notepad++ has rolled out a critical security update to fix vulnerabilities that were exploited by a China-linked threat actor to hijack its update mechanism and selectively push malware to targeted users.
The newly released version 8.9.2 introduces what project maintainer Don Ho describes as a “double lock” security model designed to make the software’s update process significantly more resilient against tampering.
The strengthened mechanism builds on earlier protections added in version 8.8.9, which verified the signed installer downloaded from GitHub. The latest update goes a step further by validating the cryptographic signature of the XML file returned by the official update server at notepad-plus-plus[.]org — effectively adding an extra layer of integrity checking to prevent malicious redirection.
Security Hardening Measures
In addition to the double verification model, the update introduces multiple security-focused improvements to WinGUp, the software’s auto-updater component:
-
Removal of
libcurl.dllto eliminate DLL side-loading risks -
Elimination of insecure cURL SSL options (
CURLSSLOPT_ALLOW_BEASTandCURLSSLOPT_NO_REVOKE) -
Restriction of plugin management execution to programs signed with the same certificate as WinGUp
The release also patches a high-severity vulnerability tracked as CVE-2026-25926 (CVSS score: 7.3). The flaw stems from an Unsafe Search Path issue (CWE-426) when launching Windows Explorer without specifying an absolute executable path.
According to Ho, the weakness could allow a malicious explorer.exe to execute if an attacker controls the working directory of the process. Under certain conditions, this could lead to arbitrary code execution within the context of the running application.
Fallout From a Supply Chain Breach
The fix follows a previously disclosed incident in which attackers exploited a breach at the hosting provider level to manipulate Notepad++ update traffic beginning in June 2025. The compromise allowed certain users’ update requests to be redirected to malicious servers that distributed poisoned installers. The tampering was discovered in early December 2025.
Security researchers at Rapid7 and Kaspersky determined that the altered updates delivered a previously undocumented backdoor named Chrysalis. The broader supply chain attack is tracked as CVE-2025-15556 (CVSS score: 7.7) and has been attributed to the China-linked threat group Lotus Panda.
According to findings from Kaspersky and Palo Alto Networks Unit 42, the campaign targeted individuals and organizations across Vietnam, El Salvador, Australia, the Philippines, the United States, South America, and Europe. Affected sectors included cloud hosting, energy, finance, government, manufacturing, and software development.
What Users Should Do
Users are strongly advised to update immediately to version 8.9.2 and ensure installers are downloaded exclusively from the official Notepad++ domain to avoid potential tampering.
The incident underscores the growing risk posed by supply chain attacks, particularly when threat actors exploit trusted update channels to distribute targeted malware.
