• Notepad++ released 8.9.2 patch to fix hijacked update mechanism exploited by Chinese threat actor. • Introduces “double lock” design, verifying signed installer and XML from update server. • Removes libcurl.dll and insecure cURL SSL options to mitigate DLL side‑loading and SSL risks. • Restricts plugin execution to programs signed with same certificate as WinGUp. • Addresses CVE-2026-25926 (CVSS 7.3) unsafe search path vulnerability enabling arbitrary code execution. • Breach at hosting provider in June 2025 allowed attackers to serve poisoned updates; detected December 2025.
Article Summaries:
- Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest. The version 8.9.2 update incorporates what maintainer Don Ho calls a “double lock” design that aims to make the update process “robust and effectively unexploitable.” This includes verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later), as well as the newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]o
- Notepad++ has issued version 8.9.2 to address a supply‑chain compromise that allowed a China‑based threat actor to hijack the editor’s update mechanism and deliver the Chrysalis backdoor. The new release introduces a “double‑lock” design that verifies both the signed installer from GitHub and the signed XML from the official update server, removes libcurl.dll to eliminate DLL side‑loading, disables insecure cURL SSL options, and restricts plugin execution to code signed with the same certificate. The patch also fixes CVE‑2026‑25926, a high‑severity unsafe search‑path vulnerability. The incident, tracked as CVE‑2025‑15556, targeted users in Vietnam, El Salvador, Australia, the Philippines, the U.S., South America, and Europe. Users are urged to update to 8.9.2 and download installers only from the official domain.
Sources: