EmEditor Hit by Supply Chain Attack Delivering Infostealer Malware

EmEditor users at risk: Hackers replaced download links with malware, stealing sensitive data and deploying harmful extensions.

By Content Team

Dec 29, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Popular text editor EmEditor was compromised between December 19-22, with hackers replacing the legitimate download link on the homepage with malicious software. Users who clicked "Download Now" during this window may have received a fake installer that looked identical to the real one but lacked proper digital signatures.

The malware collected sensitive data including system information, files from Desktop and Documents folders, VPN configurations, browser credentials, and login details for apps like Discord, Slack, Teams, and Steam. It also deployed a persistent browser extension called "Google Drive Caching" that hijacks cryptocurrency addresses and steals Facebook ad accounts.

Chinese security firm Qianxin discovered the attack primarily targets users outside former Soviet countries and Iran. EmEditor's developers have posted warnings and indicators of compromise on their website.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Tennessee Man Pleads Guilty to Hacking Supreme Court Filing System 25 Times

Jan 18, 2026

Critical React Vulnerability 'React2Shell' Threatens Millions of Websites

Dec 5, 2025

Chinese Hackers Exploit Critical React Vulnerability Hours After Disclosure

Dec 6, 2025

Microsoft Rushes Emergency Patch for Office Zero-Day Under Active Attack

Jan 28, 2026