Notepad++ has launched a security repair to plug gaps that had been exploited by a sophisticated risk actor from China to hijack the software program replace mechanism to selectively ship malware to targets of curiosity.
The model 8.9.2 replace incorporates what maintainer Don Ho calls a “double lock” design that goals to make the replace course of “sturdy and successfully unexploitable.” This consists of verification of the signed installer downloaded from GitHub (carried out in model 8.8.9 and later), in addition to the newly added verification of the signed XML returned by the replace server at notepad-plus-plus[.]org.
Along with these enhancements, security-focused adjustments have been launched to WinGUp, the auto-updater part –
- Elimination of libcurl.dll to remove DLL side-loading danger
- Elimination of two unsecured cURL SSL choices: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
- Restriction of plugin administration execution to packages signed with the identical certificates as WinGUp
The replace additionally addresses a high-severity vulnerability (CVE-2026-25926, CVSS rating: 7.3) that would end in arbitrary code execution within the context of the working software.
“An Unsafe Search Path vulnerability (CWE-426) exists when launching Home windows Explorer with out an absolute executable path,” Ho mentioned. “This may increasingly enable execution of a malicious explorer.exe if an attacker can management the method working listing. Underneath sure circumstances, this might result in arbitrary code execution within the context of the working software.”
The event comes weeks after Notepad++ disclosed {that a} breach on the internet hosting supplier stage enabled risk actors to hijack replace visitors beginning June 2025 and redirect requests from sure customers to malicious servers to serve a poisoned replace. The problem was detected in early December 2025.
In keeping with Rapid7 and Kaspersky, the tampered updates enabled the attackers to ship a beforehand undocumented backdoor dubbed Chrysalis. The availability chain incident, tracked underneath the CVE identifier CVE-2025-15556 (CVSS rating: 7.7), has been attributed to a China-nexus hacking group referred to as Lotus Panda.
Notepad++ customers are beneficial to replace to model 8.9.2, and make it possible for the installers are downloaded from the official area.
