Overview
- Version 8.9.2 completes a two‑stage check that validates a signed XML manifest from notepad-plus-plus.org and the code‑signed installer from GitHub.
- The WinGUp auto‑updater is hardened by removing libcurl.dll to curb DLL sideloading, disabling insecure cURL SSL options, and restricting plugin management to programs signed with WinGUp’s certificate.
- The release fixes CVE-2026-25926, an Unsafe Search Path flaw that could enable arbitrary code execution under specific conditions.
- Researchers link the 2025 update hijack to the China‑nexus group Lotus Blossom/Lotus Panda, with malicious updates delivering the Chrysalis backdoor and Cobalt Strike beacons.
- Users are urged to upgrade to v8.9.2 and obtain installers only from the official site or GitHub, following host migration and credential rotation by the project.