CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Notepad++ Update Mechanism Exploited to Deliver Malicious Payloads

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Notepad++ version 8.8.9 was released to address a security flaw in its WinGUp update tool that allowed attackers to push malicious executables instead of legitimate updates. Users reported incidents where the updater spawned a malicious AutoUpdater.exe that collected device information and exfiltrated it to a remote site. The flaw was mitigated by enforcing updates only from GitHub and later by requiring signature verification for all updates. Security researchers noted targeted attacks against organizations with interests in East Asia, where Notepad++ processes were used to gain initial access. The attack involved an infrastructure-level compromise at the hosting provider level, allowing malicious actors to intercept and redirect update traffic. The incident commenced in June 2025 and continued until December 2025, with the Notepad++ website later migrated to a new hosting provider. The attackers were likely Chinese state-sponsored threat actors, selectively redirecting update requests from certain users to malicious servers. The hosting provider for the update feature was compromised, enabling targeted traffic redirections. The attackers regained access using previously obtained internal service credentials. Notepad++ has since migrated all clients to a new hosting provider with stronger security and plans to enforce mandatory certificate signature verification in version 8.9.2. The compromise involved shared hosting infrastructure rather than a flaw in the software's code, with attackers gaining access at the hosting provider level to intercept and manipulate traffic bound for the Notepad++ update endpoint. Direct server access by the attackers ended on September 2, 2025, but credentials associated with internal services remained exposed until December 2, 2025, allowing continued traffic redirection. The hosting provider confirmed no additional customers were affected. Notepad++ version 8.9.2 introduced a 'double-lock' design for its update mechanism, including verifying the signed installer from GitHub and checking the signed XML from the notepad-plus-plus.org domain. The auto-updater now removes libcurl.dll to eliminate DLL side-loading risk, removes unsecured cURL SSL options, and restricts plugin management execution to programs signed with the same certificate as WinGUp. Users can exclude the auto-updater during UI installation or deploy the MSI package with the NOUPDATER=1 flag. The threat group Lotus Blossom, linked to China, was involved in the compromise, using a custom backdoor called 'Chrysalis' as part of the attack chain. Notepad++ version 8.9.2 also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application. An Unsafe Search Path vulnerability (CWE-426) exists when launching Windows Explorer without an absolute executable path, which may allow execution of a malicious explorer.exe if an attacker can control the process working directory.

Timeline

  1. 17.02.2026 20:29 2 articles · 1d ago

    Notepad++ version 8.9.2 introduces double-lock update mechanism

    Notepad++ version 8.9.2 introduces a 'double-lock' design for its update mechanism, including verifying the signed installer from GitHub and checking the signed XML from the notepad-plus-plus.org domain. The auto-updater now removes libcurl.dll to eliminate DLL side-loading risk, removes unsecured cURL SSL options, and restricts plugin management execution to programs signed with the same certificate as WinGUp. Users can exclude the auto-updater during UI installation or deploy the MSI package with the NOUPDATER=1 flag. The update also addresses a high-severity vulnerability (CVE-2026-25926, CVSS score: 7.3) that could result in arbitrary code execution in the context of the running application.

    Show sources
    Open in new tab
  2. 11.12.2025 23:04 5 articles · 2mo ago

    Notepad++ Update Mechanism Exploited to Deliver Malicious Payloads

    The compromise involved shared hosting infrastructure rather than a flaw in the software's code. Attackers gained access at the hosting provider level, enabling them to intercept and manipulate traffic bound for the Notepad++ update endpoint. The compromise began in June 2025, with direct server access ending on September 2, 2025, but internal service credentials remained exposed until December 2, 2025. The hosting provider confirmed no additional customers were affected. The threat group Lotus Blossom, linked to China, was involved in the compromise, using a custom backdoor called 'Chrysalis' as part of the attack chain.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical RCE vulnerability in WPvivid Backup & Migration plugin

A critical remote code execution (RCE) vulnerability (CVE-2026-1357) in the WPvivid Backup & Migration plugin for WordPress, installed on over 900,000 websites, allows unauthenticated attackers to upload arbitrary files. The flaw, rated 9.8 in severity, affects versions up to 0.9.123 and can lead to complete website takeover. The vulnerability stems from improper error handling in RSA decryption and lack of path sanitization, enabling directory traversal and malicious PHP file uploads. The issue is mitigated by a 24-hour exploitation window and the need for the 'receive backup from another site' option to be enabled. A patch (version 0.9.124) was released on January 28, 2026, addressing the flaw by improving error handling, filename sanitization, and restricting uploads to specific file types.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. government agencies to secure their systems against the flaw by February 16, 2026. CISA also added four other vulnerabilities to its KEV catalog, including CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, and CVE-2008-0015. CVE-2026-2441 is a use-after-free vulnerability in Google Chrome with a CVSS score of 8.8. CVE-2024-7694 is an arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier with a CVSS score of 7.2. CVE-2020-7796 is a server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) with a CVSS score of 9.8. CVE-2008-0015 is a stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control with a CVSS score of 8.8. Google acknowledged that an exploit for CVE-2026-2441 exists in the wild. A report published by threat intelligence firm GreyNoise in March 2025 revealed that a cluster of about 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2020-7796, to target susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan. The exploit for CVE-2008-0015 may connect to a remote server and download other malware, including the Dogkild worm. Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 10, 2026, for optimal protection.

Open in new tab

Lotus Blossom Hacking Group Exploits Notepad++ Hosting Breach to Deploy Chrysalis Backdoor

The China-linked Lotus Blossom hacking group exploited a hosting provider breach to deliver a previously undocumented backdoor, Chrysalis, to Notepad++ users. The attack, which occurred between June and December 2025, involved hijacking update traffic and exploiting insufficient update verification controls in older versions of the software. The group used a multi-layered shellcode loader and integrated undocumented system calls to enhance stealth and resilience. The breach was discovered and mitigated in December 2025, with Notepad++ migrating to a new hosting provider and rotating all credentials. The Chrysalis backdoor is a feature-rich implant capable of gathering system information, executing commands, and maintaining persistence. It communicates with a command-and-control (C2) server to receive additional instructions. The C2 server is currently offline, but the malware's capabilities suggest ongoing development and adaptation by the threat actor.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab

Sneeit WordPress RCE Exploited in Active Attacks

A critical remote code execution (RCE) vulnerability (CVE-2025-6389) in the Sneeit Framework plugin for WordPress is being actively exploited in the wild. The flaw, affecting versions up to 8.3, allows unauthenticated attackers to execute arbitrary PHP functions, including creating malicious administrator accounts and injecting backdoors. Exploitation began on November 24, 2025, with over 131,000 attack attempts blocked by Wordfence. Additionally, a critical flaw in ICTBroadcast (CVE-2025-2611) is being exploited to deliver the Frost DDoS botnet. The botnet uses multiple exploits to spread and conduct targeted DDoS attacks, with evidence pointing to a small, targeted operation.

Open in new tab