A compromised EmEditor installer was used in a software supply chain attack to deliver multistage malware. The attack, discovered in late December 2025, targeted users of this widely-used text editor. The malware performs credential theft, data exfiltration, and enables lateral movement. It uses obfuscated PowerShell scripts and geofencing techniques, suggesting possible Russian origin. The malware disables security features, gathers system information, and exfiltrates data to a command-and-control server. This incident highlights the importance of validating installer integrity, monitoring PowerShell usage, preserving endpoint telemetry, and enforcing least privilege principles. Software publishers are advised to secure download infrastructure and prepare incident response plans.