Notepad++ Secures Update Process Against Malware Threat

Notepad++ Secures Update Process Against Malware Threat

Posted on By CWS

Notepad++ has fortified its software update mechanism with a newly released security update, addressing vulnerabilities exploited by a Chinese cyber threat group. The latest version, 8.9.2, introduces a ‘double lock’ strategy to ensure a more rigorous and secure update process.

Enhanced Update Security

The update process for Notepad++ has been significantly improved by verifying both the installer downloaded from GitHub and the signed XML from the update server at notepad-plus-plus[.]org. This measure, detailed by maintainer Don Ho, aims to prevent exploitation by unauthorized entities.

Additionally, significant changes have been made to WinGUp, Notepad++’s auto-updater, to eliminate potential security risks. These changes include removing the libcurl.dll to mitigate DLL side-loading threats and disabling two unsecured cURL SSL options, namely CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE. Moreover, plugin management execution is now restricted to programs signed with the same certificate as WinGUp.

Addressing Critical Vulnerabilities

The update also resolves a high-severity vulnerability, identified as CVE-2026-25926, which scored 7.3 on the CVSS scale. This vulnerability could potentially allow arbitrary code execution through an unsafe search path when Windows Explorer launches without a defined executable path.

Ho explained that this flaw could be exploited if an attacker manages to control the process’s working directory, potentially leading to malicious execution within the running application.

Response to Previous Attacks

This development follows a recent disclosure by Notepad++ regarding a breach at the hosting provider level, which allowed attackers to hijack update traffic starting June 2025. By December 2025, it was discovered that certain user requests were redirected to malicious servers, resulting in the deployment of a compromised update.

Security firms Rapid7 and Kaspersky identified the tampered updates as a vector for delivering the Chrysalis backdoor, a novel threat attributed to the China-based hacking group Lotus Panda. This supply chain attack was registered under CVE-2025-15556, with a CVSS score of 7.7.

Notepad++ users are urged to upgrade to version 8.9.2 immediately and ensure that installations are sourced from the official website to safeguard against these threats.

The Hacker News Tags:, , , , , , , , , , , , , ,

Related Posts

Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover The Hacker News
U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing 0K Crypto Transfers and M+ Profits U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits The Hacker News
[Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR [Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR The Hacker News
Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts The Hacker News
Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257) Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257) The Hacker News
CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing The Hacker News