The team behind Notepad++ has rolled out version 8.9.2 to address security issues exploited by a China-linked threat actor who hijacked the software’s update mechanism to selectively distribute malware to specific targets.
Maintainer Don Ho said the latest release introduces a “double lock” design intended to make the update process “robust and effectively unexploitable.” The strengthened mechanism builds on earlier protections introduced in version 8.8.9, which added verification of the signed installer downloaded from GitHub. Version 8.9.2 goes a step further by verifying the signed XML file returned by the update server at notepad-plus-plus[.]org.
Security-focused improvements have also been made to WinGUp, the application’s auto-updater component. These include the removal of libcurl.dll to eliminate DLL side-loading risks, the removal of two unsecured cURL SSL options (CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE), and restricting plugin management execution to programs signed with the same certificate as WinGUp.
The release additionally patches a security vulnerability, tracked as CVE-2026-25926, which could allow arbitrary code execution. The flaw stems from an Unsafe Search Path vulnerability when launching Windows Explorer without specifying an absolute executable path. Under certain conditions, an attacker able to control the working directory could execute a malicious explorer.exe within the context of the running application.
The update comes after a supply chain incident attributedwith moderate confidence to the Chinese advanced persistent threat (APT) group Lotus Blossom. On February 2, the Notepad++ maintainer revealed that state-sponsored attackers compromised the project’s update infrastructure, redirecting some users to malicious servers. Rapid7 said that the attackers abused the compromised infrastructure to deliver a previously undocumented backdoor called 'Chrysalis,' along with custom loaders such as ConsoleApplication2.exe that use Microsoft’s Warbird protection framework to hide malicious activity.