Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Notepad++ hit by network compromise

Incident
First reported
Last updated
Happening score
H score 41
2 unique sources, 3 articles

Summary

Hide ▲

The Notepad++ hosting breach enabled attackers to hijack the software update path and selectively redirect some users to malicious servers, creating a supply-chain risk for targeted malware delivery. The compromise began in June 2025 and was later detected in December 2025; the project has since released version 8.9.2 to harden update verification and reduce abuse of the trusted update channel. The release also fixes CVE-2026-25926.

Related Happenings

Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)

Vulnerability
First: 20.05.2026 11:28 Last: 20.05.2026 11:28 Sources 1

About this happening: **CVE-2026-45585** is a **BitLocker security feature bypass** affecting **Windows 11 26H1/24H2/25H2** and **Windows Server 2025**, and Microsoft has already issued **mitigations**...

Open Happening

Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw

Vulnerability
First: 14.05.2026 21:53 Last: 14.05.2026 21:53 Sources 1

About this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...

Open Happening

CPanel and WHM emergency update for critical auth-bypass

Security Patch Release
First: 29.04.2026 18:51 Last: 29.04.2026 18:51 Sources 1

About this happening: **WebPros International** released an **emergency update** for **cPanel** and **WHM** after a critical **authentication-bypass** flaw could expose supported installations to **una...

Open Happening

CPanel security patch release for CVE-2026-41940

Security Patch Release
First: 29.04.2026 12:37 Last: 29.04.2026 12:37 Sources 1

About this happening: **cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...

Latest development: 04.05.2026 22:14

CVE-2026-41940 in cPanel, WebHost Manager (WHM), and WP Squared was rapidly exploited after public disclosure, with Censys reporting attacks from multiple threat actors within 24 hours and about 15,000 potentially compromised instances in the first day. KnownHost said about 30 managed cPanel servers showed attempted exploitation, WatchTowr Labs published a PoC exploit and technical analysis, and Defused said much of the observed activity copied WatchTowr's PoC exactly.

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

Timeline

  1. 18.02.2026 09:40 1 articles · 3mo ago

    Notepad++ releases version 8.9.2 to harden updater

    Mitigation Patch Update

    Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.

    Show sources
    Open in new tab
  2. 03.02.2026 06:55 1 articles · 3mo ago

    Notepad++ hosting access terminated on December 2, 2025

    Victim Impact Update

    The compromised infrastructure hosting Notepad++ had the attacker’s access terminated on December 2, 2025, ending the targeted redirections that sent some update requests to malicious servers and exposed users to tampered update delivery.

    Show sources
    Open in new tab
  3. 03.02.2026 06:55 3 articles · 3mo ago

    Rapid7 attributes Notepad++ hosting compromise to Lotus Blossom

    Technical Analysis Update

    Rapid7 attributed the compromise of the infrastructure hosting Notepad++ with medium confidence to Lotus Blossom, saying the tampered update path began in June 2025, was stopped on December 2, 2025, and delivered the Chrysalis backdoor to users of the open-source editor, while finding no evidence that the updater-related mechanism itself distributed malware.

    Show sources
    Open in new tab