NOTEPAD ++ has released a security fix to plug gaps exploited by an advanced threat actor from China to hijack the software update mechanism and selectively deliver malware to targets of interest.
The version 8.9.2 update introduces a “double lock” design that should make the update process robust and effectively unexploitable, including verification of the signed installer downloaded from GitHub (implemented in version 8.8.9 and later) and a newly added verification of the signed XML returned by the update server at notepad-plus-plus[.]org.
In addition, security-focused changes have been introduced to WinGUp, the auto-updater component, such as removal of libcurl[.]dll to eliminate DLL side-loading risk and the removal of two unsecured CURL SSL options, with plugin management now restricted to programs signed with the same certificate as WinGUp.
The update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS 7.3) that could result in arbitrary code execution, linked to an Unsafe Search Path vulnerability when launching Windows Explorer without an absolute executable path.
Weeks earlier, Notepad++ disclosed that a breach at the hosting provider level enabled threat actors to hijack update traffic starting June 2025 and redirect certain users to malicious servers to serve a poisoned update, a supply-chain incident attributed by Rapid7 and Kaspersky to a China-nexus hacking group called Lotus Panda, which delivered a backdoor dubbed Chrysalis; users are advised to update to version 8.9.2 and download installers from the official domain.