Notepad++ Strengthens Update Security After Supply-Chain Attack With New ‘Double-Lock’ System
Notepad++ Strengthens Update Security After Supply-Chain Attack With New ‘Double-Lock’ System
https://www.linkedin.com/pulse/notepad-strengthens-update-security-after-supply-chain-gzcye
Publish Date: 2026-02-17 17:19:00
Source Domain: www.linkedin.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
In response to a sophisticated supply-chain attack that compromised its update infrastructure for months, the developers behind Notepad++ have rolled out a major security overhaul designed to prevent similar incidents in the future.
The widely used open-source text and source code editor introduced a new “double-lock” verification mechanism in version 8.9.2, aiming to significantly harden its update process against tampering and malicious redirection.
A Direct Response to a Months-Long Cyberattack
The update follows the disclosure earlier this month of a prolonged cyber-espionage campaign that targeted Notepad++ users. Security researchers, including analysts from Rapid7, revealed that attackers had infiltrated the software’s update delivery system as early as June 2025.
The threat group behind the operation, identified as Lotus Blossom and widely believed to have links to China, exploited weaknesses in Notepad++’s update verification model. By compromising the hosting provider responsible for serving update files, the attackers were able to selectively redirect certain users to malicious servers.
This allowed them to distribute trojanized updates containing a custom backdoor dubbed “Chrysalis,” enabling persistent access to infected systems. The campaign remained undetected for nearly six months before being uncovered on December 2, 2025.
How the ‘Double-Lock’ System Works
Below is an illustration of how the Notepad++ update mechanism was previously hijacked:
To address these vulnerabilities, Notepad++ developers have redesigned the updater with a dual verification process — referred to as a “double-lock” mechanism.
The first layer of protection involves verifying that the installer downloaded from GitHub is digitally signed and authentic. This step was initially introduced in version 8.8.9 as part of early mitigation efforts.
The second layer adds a new requirement: the update metadata itself must also be cryptographically verified. Specifically, the XML file delivered by the update service — hosted on the official Notepad++ domain — is now signed using XML Digital Signature (XMLDSig) standards.
As shown in the diagram above, 2 independent signature & certificate vérifications are now performed
This means that even if an attacker were to intercept or redirect update traffic, they would need to bypass both signature checks simultaneously — a scenario the development team says is “effectively unexploitable” under normal conditions.
💡 Discover The Blind Spot Undermining Your cybersecurity and Compliance Postures | Download The Identity Dark Matter Report
Additional Security Hardening Measures
Beyond the double-lock system, several other security improvements have been implemented to reduce the attack surface of the updater:
Removal of libcurl.dll to eliminate risks associated with DLL side-loading attacks
Elimination of insecure SSL options, including CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
Tighter plugin execution controls, restricting plugin management to binaries signed with the same certificate as the WinGUp updater
These changes reflect a broader effort to modernize the application’s security posture, particularly around how it communicates with external servers and executes update-related processes.
Infrastructure Overhaul and Incident Response
Following the discovery of the breach, the Notepad++ team took immediate steps to contain the threat and prevent further exploitation. These included:
Migrating to a new hosting provider
Rotating all credentials associated with the update infrastructure
Patching the vulnerabilities that enabled the attack
Supply-chain attacks like this are increasingly common, as they allow attackers to compromise large numbers of users by targeting trusted software distribution channels rather than individual systems.
What Users Should Do
Developers are strongly urging all users to update to Notepad++ version 8.9.2 as soon as possible to benefit from the new protections.
Users should only download installers exclusively from the official Notepad++ website, as third-party sources may expose users to tampered or malicious versions of the software.
Broader Implications for Open-Source Security
The incident highlights ongoing challenges in securing software supply chains, particularly for widely used open-source projects that rely on distributed infrastructure and community-driven development.
While Notepad++ has taken decisive action to address the issue, cybersecurity professionals warn that similar attack techniques are likely to persist, especially as threat actors increasingly target trusted update mechanisms.
The introduction of the double-lock system may serve as a model for other projects seeking to strengthen their defenses against increasingly sophisticated supply-chain threats.
Webinar Uncovering The Key Findings In The Red Report 2026
Webinar Uncovering The Key Findings In The Red Report 2026
Identify why 80% of top techniques now focus on evasion and persistence.
Detect “Self-Aware” malware that uses trigonometry to bypass sandboxes and play dead when watched.
Simulate Dynamic Threat Templates to validate whether you can prevent or detect the top ATT&CK techniques.
