The popular text editor Notepad++ has released a critical security update after its software update mechanism was abused in a targeted supply chain attack. The flaw allowed a China linked threat actor to selectively distribute malware to specific users by manipulating the update delivery process.
The newly released version 8.9.2 introduces major security reinforcements designed to prevent similar incidents in the future.
What Happened
According to the project maintainer Don Ho, attackers exploited weaknesses in the update infrastructure to redirect selected users toward malicious servers. This resulted in the delivery of poisoned updates instead of legitimate software packages.
The breach reportedly originated at the hosting provider level, enabling attackers to intercept update traffic beginning in June 2025. The compromise remained undetected until early December 2025.
Security firms Rapid7 and Kaspersky later confirmed that tampered updates were used to deploy a previously unknown backdoor named Chrysalis.
Version 8.9.2 Introduces “Double Lock” Protection
The 8.9.2 release implements what Ho describes as a “double lock” security design. This layered protection strengthens the integrity of the update process through two independent verification mechanisms:
- Verification of the signed installer downloaded from GitHub, first introduced in version 8.8.9.
- Verification of the signed XML file returned by the official update server at notepad-plus-plus[.]org.
This dual validation model significantly reduces the risk of update hijacking and strengthens software supply chain security.
Security Improvements in WinGUp Auto Updater
The update also introduces hardening measures to WinGUp, the built in auto update component. Key security enhancements include:
- Removal of libcurl.dll to prevent DLL side loading attacks
- Elimination of insecure cURL SSL options, specifically CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
- Restricting plugin management execution to programs signed with the same certificate as WinGUp
These changes are designed to reduce attack surface and prevent misuse of external libraries or improperly validated components.
High Severity Vulnerability Patched
The update addresses CVE-2026-25926, a high severity vulnerability with a CVSS score of 7.3.
This flaw is classified as an Unsafe Search Path vulnerability under CWE-426. It occurs when launching Windows Explorer without specifying an absolute executable path. If an attacker controls the working directory, a malicious explorer.exe file could be executed instead of the legitimate system binary.
Under specific conditions, this could allow arbitrary code execution within the context of the running application.
Previous Supply Chain Incident
The earlier supply chain attack was tracked as CVE-2025-15556 with a CVSS score of 7.7. The incident has been attributed to the China linked threat group Lotus Panda.
Attackers reportedly redirected update requests for selected users, delivering a compromised version that installed the Chrysalis backdoor. This campaign highlights the increasing sophistication of targeted software supply chain attacks affecting widely used developer tools.
Impact on Users
Users who did not verify installer integrity or downloaded updates during the affected period may have been exposed to malware. The incident reinforces the importance of:
- Validating digital signatures
- Downloading software only from official domains
- Monitoring update infrastructure logs for anomalies
- Implementing endpoint detection and response systems
For organizations relying on Notepad++ in enterprise environments, this event serves as a reminder that even trusted tools can become attack vectors in supply chain operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
