Ethical Hacking News
Notepad++ has released a security fix to address vulnerabilities that were exploited by threat actors from China to hijack the software update mechanism and deliver targeted malware. The update includes a "double lock" design that aims to make the update process robust and effectively unexploitable, as well as enhancements to WinGUp, the auto-updater component.
Notepad++ has released a security fix to address vulnerabilities exploited by Chinese threat actors to hijack the software update mechanism and deliver targeted malware. A supply chain attack occurred when attackers compromised Notepad++'s update mechanism, delivering a previously undocumented backdoor dubbed Chrysalis. The attack was attributed to a China-nexus hacking group called Lotus Panda and targeted individuals and organizations in various countries. Users are recommended to update to version 8.9.2, which includes enhanced security measures such as verification of signed installers and updates. A high-severity vulnerability (CVE-2026-25926) has been addressed in the update, which could result in arbitrary code execution.
Notepad++, a popular text editor, has recently released a security fix to address vulnerabilities that were exploited by threat actors from China to hijack the software update mechanism and deliver targeted malware. This incident highlights the dangers of supply chain attacks, which have become increasingly sophisticated in recent years.
A supply chain attack occurs when an attacker compromises a supplier or vendor in the product's supply chain, allowing them to insert malicious code or components into the final product. In this case, the attackers exploited vulnerabilities in Notepad++'s update mechanism to deliver a previously undocumented backdoor dubbed Chrysalis.
The attack was first detected in early December 2025, when security researchers at Rapid7 and Kaspersky discovered that threat actors had hijacked update traffic for Notepad++. The compromised updates enabled the attackers to redirect requests from certain users to malicious servers, which served poisoned updates. This allowed the attackers to deliver a backdoor into systems running Notepad++, giving them access to sensitive data.
The attack was attributed to a China-nexus hacking group called Lotus Panda. According to data from Kaspersky and Palo Alto Networks Unit 42, the attack targeted individuals and organizations located in Vietnam, El Salvador, Australia, the Philippines, the U.S., South America, and Europe, spanning cloud hosting, energy, financial, government, manufacturing, and software development sectors.
Notepad++ users are recommended to update to version 8.9.2, which incorporates a "double lock" design that aims to make the update process robust and effectively unexploitable. The update includes verification of the signed installer downloaded from GitHub, as well as verification of the signed XML returned by the update server at notepad-plus-plus[.]org.
In addition to these enhancements, security-focused changes have been introduced to WinGUp, the auto-updater component. These changes include removal of libcurl.dll to eliminate DLL side-loading risk, removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.
Furthermore, a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) has been addressed in the update. This vulnerability could result in arbitrary code execution in the context of the running application. Specifically, an Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path. This may allow execution of a malicious explorer.exe if an attacker can control the process working directory.
Under certain conditions, this could lead to arbitrary code execution in the context of the running application.
The development comes weeks after Notepad++ disclosed that a breach at the hosting provider level enabled threat actors to hijack update traffic starting June 2025 and redirect requests from certain users to malicious servers. The issue was detected in early December 2025.
This incident highlights the importance of keeping software up-to-date, not just for security patches but also for ensuring the integrity of the supply chain. It also underscores the need for suppliers and vendors to take robust measures to prevent supply chain attacks, including implementing secure coding practices, monitoring their supply chains, and staying informed about emerging threats.
As the threat landscape continues to evolve, it is essential that software developers and users remain vigilant and proactive in addressing vulnerabilities and ensuring the security of their applications and systems. The recent Notepad++ incident serves as a reminder of the dangers of supply chain attacks and the importance of staying informed about emerging threats.
In conclusion, the release of the security fix for Notepad++ highlights the growing threat of supply chain attacks and the need for suppliers and vendors to take robust measures to prevent such incidents. By keeping software up-to-date, monitoring supply chains, and staying informed about emerging threats, individuals and organizations can reduce their risk of falling victim to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Side-of-Software-Updates-Notepads-Security-Fix-Reveals-the-Dangers-of-Supply-Chain-Attacks-ehn.shtml
https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html
https://cybersafe.news/notepad-patches-update-hijack-used-for-targeted-malware/
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
https://cybersecuritynews.com/notepad-hack/
Published: Wed Feb 18 10:09:50 2026 by llama3.2 3B Q4_K_M
