Notepad++ Enhances Security After Update Mechanism Hijack
Notepad++, a widely-used open-source text editor, has recently addressed significant security vulnerabilities exploited by a sophisticated Chinese threat actor. The attackers compromised the software’s update mechanism to selectively distribute malware to targeted users.
In response, Notepad++ released version 8.9.2, introducing a double lock system to fortify the update process. This system includes:
– Verification of Signed Installers: Ensuring that installers downloaded from GitHub are authenticated.
– Verification of Signed XML: Confirming the authenticity of XML files from the update server at notepad-plus-plus.org.
Additionally, the auto-updater component, WinGUp, underwent security-focused modifications:
– Removal of libcurl.dll: Eliminating the risk associated with DLL side-loading.
– Disabling Unsecured cURL SSL Options: Specifically, CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE were removed.
– Restricting Plugin Management Execution: Limiting execution to programs signed with the same certificate as WinGUp.
The update also addresses a high-severity vulnerability (CVE-2026-25926) that could lead to arbitrary code execution within the running application. This vulnerability, identified as an Unsafe Search Path issue (CWE-426), allowed potential execution of malicious explorer.exe files if an attacker controlled the process’s working directory.
The security breach, detected in early December 2025, revealed that attackers had been hijacking update traffic since June 2025. They redirected requests from specific users to malicious servers, delivering compromised updates. Investigations by Rapid7 and Kaspersky uncovered that these tampered updates deployed a previously undocumented backdoor named Chrysalis. This supply chain attack, tracked as CVE-2025-15556, has been attributed to a China-linked hacking group known as Lotus Panda.
The attack targeted individuals and organizations across various sectors, including cloud hosting, energy, financial, government, manufacturing, and software development. Affected regions spanned Vietnam, El Salvador, Australia, the Philippines, the U.S., South America, and Europe.
Notepad++ users are strongly advised to update to version 8.9.2 and ensure that installers are downloaded exclusively from the official domain to maintain security.
