Notepad++ has introduced a new “double-lock” security design for its update mechanism after a recently disclosed supply-chain attack exposed weaknesses in older versions.
The enhanced protection was officially rolled out in version 8.9.2, although initial improvements began earlier with version 8.8.9.
The new double verification system adds two layers of protection. First, the updater now verifies the signed installer hosted on GitHub. Second, it checks a digitally signed XML file from the official notepad-plus-plus.org domain using XMLDSig. Together, these mechanisms create a more secure update process designed to prevent tampering or redirection to malicious servers.
The changes come after researchers from Rapid7 and the Notepad++ team revealed that attackers had compromised the software’s update infrastructure for six months. The campaign, attributed to the Chinese-linked threat group Lotus Blossom, began in June 2025. Attackers reportedly breached the hosting provider running the Notepad++ updater and selectively redirected some users to malicious servers.
The attack exploited weak verification checks in older versions of the software and remained active until it was discovered on December 2, 2025. Rapid7 found that hackers deployed a custom backdoor known as “Chrysalis” during the campaign.
Beyond the double-lock mechanism, Notepad++ has removed libcurl.dll to reduce DLL side-loading risks and eliminated insecure cURL SSL options. Plugin management execution is now restricted to programs signed with the same certificate as WinGUp. The project has also switched hosting providers, rotated credentials, and patched the vulnerabilities used in the attack.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
All users are strongly advised to upgrade to version 8.9.2 immediately and download installers only from the official website to avoid potential compromise.
