Notepad++ Patches Critical Arbitrary Code Execution Vulnerabilities in Emergency Update On May 26, 2026, the Notepad++ development team released an emergency patch (v8.9.6.1) to address three security vulnerabilities, two of which could allow arbitrary code execution on affected systems. Users running version 8.9.6 or earlier are impacted and advised to update immediately. The vulnerabilities, tracked as CVE-2026-48770 (medium severity), CVE-2026-48778 (critical), and CVE-2026-48800 (critical), stem from improper handling of configuration files. The most severe flaw, CVE-2026-48778, involves the unvalidated processing of the `<GUIConfig name="commandLineInterpreter">` tag in config.xml. When a user triggers the File → Open Containing Folder → cmd action, Notepad++ executes the specified interpreter without validation, enabling attackers to replace cmd.exe with malicious executables such as calc.exe in a proof-of-concept exploit. Exploitation requires no elevated privileges and can occur through multiple attack vectors, including: - Direct modification of %APPDATA%\Notepad++\config.xml - Malicious shortcuts (.lnk) redirecting Notepad++ to attacker-controlled settings - Cloud sync poisoning via tampered configuration files - Social engineering tactics, such as tricking users into extracting malicious archives A similar flaw (CVE-2026-48800) affects shortcuts.xml, following an analogous exploitation path. The patch in v8.9.6.1 mitigates these risks by implementing allowlists for permitted interpreters, validating executable paths, and introducing user confirmation dialogs before execution. Developers have been urged to adopt these security measures in future updates.

Notepad++ Vulnerability (CVE-2026-3008) Exposes Systems to DoS and Memory Leaks A critical vulnerability, CVE-2026-3008, has been identified in Notepad++, the widely used text and source code editor. The flaw, a string injection issue in the FindInFiles functionality, allows remote attackers to crash the application or extract sensitive memory address data from affected systems. The vulnerability stems from improper handling of the "find-result-hits" field in Notepad++’s configuration file, where a %s format specifier can trigger unintended behavior during search operations. This improper memory handling could enable denial-of-service (DoS) attacks or expose memory contents, posing a risk to users relying on the tool for development or administrative tasks. The issue affects all versions of Notepad++ and highlights the potential security risks in even trusted, lightweight utilities when format string and memory management flaws are exploited. No active exploitation has been reported at this time, but users are advised to monitor for patches or mitigations from the vendor.

Sophisticated Supply Chain Attack Targets Notepad++ Users in Espionage Campaign Researchers have identified a highly advanced supply chain attack targeting users of the popular text editor Notepad++, attributed to Lotus Blossom, a Chinese advanced persistent threat (APT) group active since 2009. The campaign, uncovered through forensic analysis, involved the compromise of Notepad++’s distribution infrastructure to deliver Chrysalis, a previously undocumented custom backdoor with extensive remote access and evasion capabilities. The attack began with the execution of notepad++.exe and GUP.exe (Notepad++’s updater) from the IP address 95.179.213.0, which downloaded a malicious update.exe an NSIS installer. This installer deployed a renamed Bitdefender Submission Wizard executable to the hidden %AppData%\Bluetooth directory, leveraging DLL sideloading to execute a malicious log.dll. The DLL decrypted the Chrysalis backdoor using a combination of linear congruential generators, FNV-1a hashing, and MurmurHash finalization, along with custom cryptographic algorithms. Chrysalis is a feature-rich implant with 15 distinct command capabilities, including: - Interactive reverse shells (command 4T) - Remote process execution (4V) - File operations (4Y, 4W, 4X) - File transfer protocols (4c, 4d) - Self-removal (4) - Drive enumeration (4_) The backdoor communicates with a command-and-control (C2) server at https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821, designed to mimic Deepseek API traffic to evade detection. The domain resolves to a Malaysian IP (61.4.102.97), with communications using a standard browser user agent. Persistence is achieved via a Windows service or registry modifications, while a mutex (Global\Jdhfv_1.0.1) prevents multiple instances. Further analysis revealed the use of ConsoleApplication2.exe, a loader exploiting Microsoft’s undocumented Warbird code protection framework. The loader invokes NtQuerySystemInformation with the SystemCodeFlowTransition parameter (0xB9) to execute Metasploit shellcode within a Microsoft-signed binary, enabling the download of Cobalt Strike beacons from api.wiresguard.com/users/system. Additional payloads were delivered via http-get (api.wiresguard.com/update/v1) and http-post (api.wiresguard.com/api/FileUpload/submit) endpoints. Forensic evidence also uncovered a renamed Tiny-C-Compiler executing malicious C source code from conf.c, which employed rolling XOR decryption before transferring execution to Cobalt Strike. Four additional loader variants were identified, sharing identical Cobalt Strike configurations and a common public key, indicating a coordinated campaign. Attribution to Lotus Blossom is supported by tactical overlaps, including the Bitdefender Submission Wizard DLL sideloading technique and shared infrastructure indicators. The campaign demonstrates a significant evolution in tradecraft, blending custom malware with commodity frameworks and rapidly operationalizing public security research. Key indicators of compromise include hidden executables in %AppData%, NtQuerySystemInformation abuse, and suspicious Deepseek-style API traffic.

Notepad++ Patches Critical Update Hijacking Vulnerability Notepad++, the widely used text and code editor, recently addressed a severe security flaw in its update mechanism that could allow attackers to hijack the update process. The vulnerability, stemming from insufficient file authentication in the Notepad++ updater, was identified by security researcher Kevin Beaumont. The flaw enabled threat actors to intercept and manipulate update traffic, tricking the software into accepting malicious update files. Without proper verification, users risked downloading compromised updates, potentially leading to unauthorized access, data theft, or further exploitation. In response, the Notepad++ development team implemented enhanced authentication measures to secure the updater utility. The patched version now prevents unauthorized modifications to update files, reducing the risk of exploitation. Users running older versions are urged to upgrade immediately to mitigate potential threats. The incident underscores the importance of robust update verification in software distribution, particularly for widely adopted tools. While the vulnerability has been resolved, the discovery highlights ongoing risks in update mechanisms across applications.

A severe privilege escalation vulnerability in Notepad++ version 8.8.1, designated CVE-2025-49144, allows attackers to gain SYSTEM-level privileges through binary planting. This flaw exposes millions of users to complete system compromise, posing risks of data breaches and lateral movement within networks. The flaw affects the installer, enabling local privilege escalation attacks with minimal user interaction. The widespread adoption of Notepad++, particularly in corporate environments, amplifies the potential impact. The incident highlights the need for secure software development practices and rapid response to emerging threats.

Notepad++ Supply Chain Attack Linked to Chinese State-Sponsored Hackers In December 2025, Notepad++ disclosed further details about a supply chain attack targeting its users, revealing that a China-linked threat actor likely compromised its hosting provider to distribute malicious updates. The incident, first reported by security researcher Kevin Beaumont, involved hackers exploiting the software’s updater to gain access to systems within telecom and financial firms in East Asia. An investigation led by Notepad++ creator Don Ho, alongside external security experts and the hosting provider, determined that the attack stemmed from an infrastructure-level breach. Rather than exploiting vulnerabilities in Notepad++’s code, the attackers intercepted and redirected update traffic by compromising the hosting provider’s systems. Select users were rerouted to attacker-controlled servers, which delivered malware-laced update manifests. The attack began in June 2025, with the hosting provider’s server remaining compromised until September 2, when maintenance and firmware updates were applied. However, stolen credentials allowed the threat actor to retain access to internal services until December 2, enabling continued traffic redirection. The hosting provider confirmed that only Notepad++ customers were targeted, with no evidence of broader compromise. Multiple security researchers attributed the campaign to a Chinese state-sponsored group, citing the highly selective targeting. Notepad++ has since migrated to a new hosting provider and implemented client-side measures to verify update integrity. The incident follows other recent supply chain attacks, including those affecting eScan Antivirus and EmEditor.