February 18, 2026

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware

Vaibhav February 18, 2026
Notepad-Fixes-Hijacked-Update-Mechanism-Used-to-Deliver-Targeted-Malwaredata
Post Views: 13

Notepad++ Patch Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware

Notepad++ has released a security update to address vulnerabilities that were exploited by a sophisticated threat actor from China to compromise the software’s update mechanism and deliver malware to specific targets.

Security Update and Fixes

The update, version 8.9.2, incorporates a “double lock” design aimed at making the update process more robust and resistant to exploitation.

The security fix includes enhancements to the WinGUp auto-updater component, such as the removal of libcurl.dll to prevent DLL side-loading attacks, and the elimination of two unsecured cURL SSL options. Additionally, the update restricts plugin management execution to programs signed with the same certificate as WinGUp.

Vulnerability and Exploitation

The update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could lead to arbitrary code execution in the context of the running application.

According to Notepad++ maintainer Don Ho, the vulnerability exists due to an unsafe search path when launching Windows Explorer without an absolute executable path. This could allow an attacker to execute a malicious explorer.exe if they can control the process working directory, potentially leading to arbitrary code execution.

Previous Breach and Attribution

The vulnerability was discovered weeks after Notepad++ disclosed a breach at the hosting provider level, which allowed threat actors to hijack update traffic starting in June 2025.

The attackers redirected requests from certain users to malicious servers, serving a poisoned update. The issue was detected in early December 2025.

According to Rapid7 and Kaspersky, the tampered updates enabled the attackers to deliver a previously undocumented backdoor called Chrysalis. The supply chain incident, tracked under the CVE identifier CVE-2025-15556 (CVSS score: 7.7), has been attributed to a China-nexus hacking group called Lotus Panda.

Recommendation

The Notepad++ update aims to prevent similar attacks by ensuring the integrity of the update process. Users are advised to apply the update to prevent potential exploitation.



About Author

Vaibhav

See author's posts

More Stories

CISA-Warns-of-Active-Exploitation-of-Vulnerability-in-TeamT5-Product-by-Hackersdata

CISA Warns of Active Exploitation of Vulnerability in TeamT5 Product by Hackers

Vaibhav February 18, 2026
AI-Powered-Cyberattacks-Surge-3-195-Incidents-Every-Weekdata

AI-Powered Cyberattacks Surge: 3,195 Incidents Every Week

Vaibhav February 18, 2026
Qodo-Unveils-AI-Powered-Governance-System-for-Code-Quality-Assurance-and-Controldata

Qodo Unveils AI-Powered Governance System for Code Quality Assurance and Control

Vaibhav February 18, 2026

You may have missed

CISA-Warns-of-Active-Exploitation-of-Vulnerability-in-TeamT5-Product-by-Hackersdata

CISA Warns of Active Exploitation of Vulnerability in TeamT5 Product by Hackers

Vaibhav February 18, 2026
Abu-Dhabi-Finance-Week-Hit-by-Passport-Data-Breach-Global-Investors-Scans-Found-on-Open-Serverdata

Abu Dhabi Finance Week Hit by Passport Data Breach: Global Investors’ Scans Found on Open Server

Vaibhav February 18, 2026
AI-Powered-Cyberattacks-Surge-3-195-Incidents-Every-Weekdata

AI-Powered Cyberattacks Surge: 3,195 Incidents Every Week

Vaibhav February 18, 2026
Qodo-Unveils-AI-Powered-Governance-System-for-Code-Quality-Assurance-and-Controldata

Qodo Unveils AI-Powered Governance System for Code Quality Assurance and Control

Vaibhav February 18, 2026
AI-Powered-Network-Detection-for-MSSP-Environments-Enhanced-Cybersecurity-Solutionsdata

AI-Powered Network Detection for MSSP Environments: Enhanced Cybersecurity Solutions

Vaibhav February 18, 2026
en_USEnglish
en_USEnglish