The project's author went to extreme measures to save the reputation of the "people's notebook."
Notepad++ developers released security update 8.9.2 to patch vulnerabilities exploited by an advanced group with Chinese ties. The attackers hijacked the update mechanism and selectively injected malicious files into targeted users.
Project maintainer Don Ho reported that the update utilizes a "double-lock" scheme, which should make the update chain tamper-resistant. This involves two checks: in versions 8.8.9 and later, Notepad++ already verifies the signature of the installer downloaded from GitHub, and in 8.9.2, a signature check was added for the XML returned by the update server on notepad-plus-plus.org.
We've also strengthened WinGUp's auto-update component. We've removed libcurl.dll to reduce the risk of loading a substituted library, removed two insecure cURL SSL settings, and limited plugin management to programs signed with the same certificate as WinGUp.
Version 8.9.2 also fixes a high-severity vulnerability, CVE-2026-25926 , with a CVSS score of 7.3. It relates to an insecure search path when launching Windows Explorer without an absolute path to the executable. If an attacker controls the process's working directory, under certain conditions, this could lead to the launch of a fake explorer.exe and the execution of arbitrary code in the context of the running application.
Notepad++ reported on the update spoofing issue several weeks ago. According to the project, a compromise on the hosting provider's side allowed attackers to intercept update traffic beginning in June 2025 and redirect individual user requests to malicious servers, which then delivered a "poisoned" update. The incident was discovered in early December 2025.
Rapid7 and Kaspersky Lab linked the spoofed updates to the delivery of the previously undescribed Chrysalis backdoor . This supply chain incident is tracked as CVE-2025-15556 with a CVSS score of 7.7 and attributed to the Lotus Panda group.
Notepad++ users are advised to upgrade to version 8.9.2 and download installers only from the project's official domain .
Notepad++ developers released security update 8.9.2 to patch vulnerabilities exploited by an advanced group with Chinese ties. The attackers hijacked the update mechanism and selectively injected malicious files into targeted users.
Project maintainer Don Ho reported that the update utilizes a "double-lock" scheme, which should make the update chain tamper-resistant. This involves two checks: in versions 8.8.9 and later, Notepad++ already verifies the signature of the installer downloaded from GitHub, and in 8.9.2, a signature check was added for the XML returned by the update server on notepad-plus-plus.org.
We've also strengthened WinGUp's auto-update component. We've removed libcurl.dll to reduce the risk of loading a substituted library, removed two insecure cURL SSL settings, and limited plugin management to programs signed with the same certificate as WinGUp.
Version 8.9.2 also fixes a high-severity vulnerability, CVE-2026-25926 , with a CVSS score of 7.3. It relates to an insecure search path when launching Windows Explorer without an absolute path to the executable. If an attacker controls the process's working directory, under certain conditions, this could lead to the launch of a fake explorer.exe and the execution of arbitrary code in the context of the running application.
Notepad++ reported on the update spoofing issue several weeks ago. According to the project, a compromise on the hosting provider's side allowed attackers to intercept update traffic beginning in June 2025 and redirect individual user requests to malicious servers, which then delivered a "poisoned" update. The incident was discovered in early December 2025.
Rapid7 and Kaspersky Lab linked the spoofed updates to the delivery of the previously undescribed Chrysalis backdoor . This supply chain incident is tracked as CVE-2025-15556 with a CVSS score of 7.7 and attributed to the Lotus Panda group.
Notepad++ users are advised to upgrade to version 8.9.2 and download installers only from the project's official domain .
