Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest This article explores updates allowed attackers. . The version 8.9.2 update incorporates what maintainer Don Ho calls a "double lock" design that aims to make the update process "robust and effectively unexploitable."

This includes verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later), as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[. ]org.

In addition to these enhancements, security-focused changes have been introduced to WinGUp, the auto-updater component - Removal of libcurl.dll to eliminate DLL side-loading risk Removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE Restriction of plugin management execution to programs signed with the same certificate as WinGUp The update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application. "An Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path," Ho said. "This may allow execution of a malicious explorer.exe if an attacker can control the process working directory.

Under certain conditions, this could lead to arbitrary code execution in the context of the running application.This comes weeks after Notepad++ revealed that a hosting provider-level breach allowed threat actors to take control of update traffic beginning in June 2025 and reroute requests from specific users to malicious servers in order to deliver a tainted update. Early in December 2025, the problem was discovered. Rapid7 and Kaspersky claim that the tampered updates allowed the attackers to install Chrysalis, a backdoor that had not been previously known to exist.

A China-based hacker collective known as Lotus Panda has been implicated in the supply chain incident, which is being tracked under the CVE identifier CVE-2025-15556 (CVSS score: 7.7).

It is advised that users of Notepad++ update to version 8.9.2 and ensure that the installers are downloaded from the official website.