Find notable cyber news and cases, enriched with sources, timelines, and signals.

Notepad++ hit by network compromise

Incident
First reported
Last updated
Happening score
H score 17
2 unique sources, 3 articles

Summary

Hide ▲

The Notepad++ hosting breach enabled attackers to hijack the software update path and selectively redirect some users to malicious servers, creating a supply-chain risk for targeted malware delivery. The compromise began in June 2025 and was later detected in December 2025; the project has since released version 8.9.2 to harden update verification and reduce abuse of the trusted update channel. The release also fixes CVE-2026-25926.

Related Happenings

Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)

Vulnerability
H score9 First: 20.05.2026 11:28 Last: 20.05.2026 11:28 Sources 1

About this happening: CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...

Latest development: 11.06.2026 20:43

Security researcher Chaotic Eclipse released GreatXML, a Windows BitLocker bypass that copies unattend.xml and Recovery/WindowsRE/ReAgent.xml onto the recovery partition and then boots into Windows Recovery Environment (WinRE) to spawn a shell with unrestricted access to the BitLocker volume. The researcher said the flaw could automatically affect systems that ever used Windows Defender Offline Scan, and the release followed YellowKey (CVE-2026-45585), which Microsoft patched in Patch Tuesday updates.

Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw

Vulnerability
H score40 First: 14.05.2026 21:53 Last: 14.05.2026 21:53 Sources 1

About this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...

CPanel and WHM emergency update for critical auth-bypass

Security Patch Release
H score89 First: 29.04.2026 18:51 Last: 29.04.2026 18:51 Sources 1

About this happening: **WebPros International** released an **emergency update** for **cPanel** and **WHM** after a critical **authentication-bypass** flaw could expose supported installations to **una...

CPanel security patch release for CVE-2026-41940

Security Patch Release
H score89 First: 29.04.2026 12:37 Last: 29.04.2026 12:37 Sources 1

About this happening: **cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...

Latest development: 04.05.2026 22:14

CVE-2026-41940 in cPanel, WebHost Manager (WHM), and WP Squared was rapidly exploited after public disclosure, with Censys reporting attacks from multiple threat actors within 24 hours and about 15,000 potentially compromised instances in the first day. KnownHost said about 30 managed cPanel servers showed attempted exploitation, WatchTowr Labs published a PoC exploit and technical analysis, and Defused said much of the observed activity copied WatchTowr's PoC exactly.

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
H score47 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Timeline

  1. 18.02.2026 09:40 1 articles · 4mo ago

    Notepad++ releases version 8.9.2 to harden updater

    Mitigation Patch Update

    Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.

    Show sources
  2. 03.02.2026 06:55 1 articles · 5mo ago

    Notepad++ hosting access terminated on December 2, 2025

    Victim Impact Update

    The compromised infrastructure hosting Notepad++ had the attacker’s access terminated on December 2, 2025, ending the targeted redirections that sent some update requests to malicious servers and exposed users to tampered update delivery.

    Show sources
  3. 03.02.2026 06:55 3 articles · 5mo ago

    Rapid7 attributes Notepad++ hosting compromise to Lotus Blossom

    Technical Analysis Update

    Rapid7 attributed the compromise of the infrastructure hosting Notepad++ with medium confidence to Lotus Blossom, saying the tampered update path began in June 2025, was stopped on December 2, 2025, and delivered the Chrysalis backdoor to users of the open-source editor, while finding no evidence that the updater-related mechanism itself distributed malware.

    Show sources