Notepad++ has addressed a sophisticated supply chain attack by a Chinese threat group that exploited the software's update process to deliver targeted malware. The latest release introduces a double-verification system that validates both the update server response and the installer file to ensure total integrity.
Notepad++ version 8.9.2 introduces a double lock design intended to make the update mechanism virtually unexploitable by attackers. This security overhaul requires the application to verify the digital signature of the XML data returned from the update server and the signature of the installer downloaded from GitHub. These layers of verification ensure that even if an update request is intercepted or redirected, the software will refuse to execute any unsigned or tampered files.
The developer also implemented several critical changes to WinGUp, the integrated auto-updater component, to reduce its attack surface. This includes the removal of the libcurl library to prevent DLL side-loading and the elimination of insecure SSL options that previously ignored certificate revocations. Additionally, the application now restricts plugin management tasks to only those programs signed with the same certificate as the updater itself, preventing unauthorized third-party modifications.
Beyond the supply chain fixes, the update patches a high-severity vulnerability tracked as CVE-2026-25926. This flaw involved an unsafe search path when launching Windows Explorer, which could have allowed an attacker to execute malicious code if they controlled the working directory. By ensuring the software uses absolute executable paths, the maintainers have blocked this avenue for arbitrary code execution within the application context.
These defensive measures follow a significant breach where threat actors hijacked update traffic beginning in June 2025. By compromising the hosting provider level, the group known as Lotus Panda was able to redirect specific users to malicious servers and deliver a sophisticated backdoor called Chrysalis. The activity went undetected for months before being discovered in late 2025, prompting this comprehensive architectural shift in how the software handles remote updates.
Security researchers from Rapid7 and Kaspersky have confirmed that the incident was a highly targeted operation aimed at specific users of interest. Because the attackers could selectively poison updates, the risk was significant for organizations involved in sensitive sectors. Users are strongly urged to transition to version 8.9.2 immediately and verify that all future downloads originate exclusively from the official project domain to avoid remnants of the redirection campaign.
Source: Notepad++ Fixes Hijacked Update Mechanism Used To Deliver Targeted Malware