Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware

Popular code editor Notepad++ has released an emergency security update after attackers exploited its update mechanism to deliver malware to targeted victims. The vulnerability enabled China-linked threat actors to selectively poison software updates for high-value targets including government entities and corporations.

Maintainer Don Ho confirmed the breach originated from compromised hosting infrastructure, allowing attackers to intercept update requests between June and December 2025. Security firms Rapid7 and Kaspersky identified the campaign delivered a previously undocumented backdoor called Chrysalis to compromised systems.

"This wasn't a widespread attack but surgical targeting of specific users," explained cybersecurity researcher Mark Johnson. "The attackers exploited trust in the update process, which remains a prime target for advanced threat groups."

The newly released Notepad++ 8.9.2 introduces a "double lock" security architecture addressing two critical weaknesses:

1. Update Server Validation: Added cryptographic verification of XML metadata from update servers at notepad-plus-plus.org
2. Installer Integrity Checks: Enhanced validation of signed installers downloaded from GitHub

Significant changes to the WinGUp updater component include:

• Removal of libcurl.dll to prevent DLL sideloading attacks
• Disabled insecure cURL SSL options (CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE)
• Restriction of plugin execution to binaries signed with Notepad++'s certificate

The update also patches CVE-2026-25926 (CVSS 7.3), an Unsafe Search Path vulnerability that could enable arbitrary code execution when launching Windows Explorer from the application.

Practical Security Recommendations:

1. Immediately update to Notepad++ version 8.9.2 from the official website
2. Verify installer signatures before deployment
3. Monitor network traffic for unexpected connections to notepad-plus-plus[.]org subdomains
4. Implement application allowlisting to prevent execution of unauthorized binaries
5. Conduct forensic analysis on systems that installed updates between June-December 2025

Organizations should treat this incident as a case study in supply chain vulnerabilities. "Software update mechanisms remain a weak link," notes incident response specialist Angela Chen. "This attack demonstrates why organizations need both technical controls and threat intelligence to detect infrastructure compromises."

The Lotus Panda group (also known as Lotus Blossom) responsible for this attack continues to target software supply chains. Security teams should review CVE-2025-15556 details and monitor for related indicators of compromise.