557/68 Tuesday, December 30, 2025
Emurasoft, the developer of the text and code editor EmEditor, has issued a security warning after discovering a supply chain attack in which attackers modified the “Download Now” button link on the official website. As a result, users who downloaded the software between December 19 at 09:39 and December 22 at 03:50 received a malicious installer (.msi) instead of the legitimate file. The malicious installer had a similar filename and file size to the genuine one but was digitally signed with a certificate not belonging to Emurasoft.
Once installed, the fake installer executed PowerShell commands to download an infostealer malware capable of stealing sensitive data, including files from the Desktop and Documents folders, VPN configurations, browser data, and application credentials from platforms such as Discord, Slack, Teams, and Steam. The malware was designed to terminate itself if it detected that the system language belonged to countries of the former Soviet Union or Iran, indicating deliberate targeting.
The impact was further intensified by the malware establishing persistence through a browser extension named “Google Drive Caching”, which functioned as a full-fledged spyware component. It collected system information, browsing history, cookies, performed keylogging, and hijacked Facebook advertising accounts. Additionally, it included clipboard hijacking functionality to replace cryptocurrency wallet addresses with those controlled by the attackers. Users who downloaded EmEditor during the affected timeframe are strongly advised to immediately investigate their systems and take mitigation actions to reduce potential damage.
Source https://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/
