Notepad++ boosts update security with ‘double-lock’ mechanism

Notepad++ Bolsters Security with Revolutionary ‘Double-Lock’ Update Mechanism

In a bold move to fortify its defenses against increasingly sophisticated cyber threats, Notepad++—the beloved open-source text and source code editor—has unveiled a groundbreaking “double-lock” update mechanism. This innovative security enhancement, introduced in version 8.9.2, marks a pivotal moment in the software’s ongoing battle against malicious actors.

The new mechanism is the culmination of months of meticulous development, beginning with version 8.8.9, which introduced the verification of signed installers from GitHub. The second layer of this “double-lock” system involves checking the signed XML from the official notepad-plus-plus.org domain. By digitally signing the XML file returned from the update service (XMLDSig), Notepad++ has effectively created an impenetrable barrier against supply-chain attacks.

“The combination of these two verification mechanisms creates a robust and effectively unexploitable update process,” the Notepad++ team declared in their announcement. This statement underscores the gravity of the security overhaul, which comes in the wake of a devastating six-month-long campaign attributed to the Chinese state-linked threat group, Lotus Blossom.

The attackers, who compromised Notepad++’s update infrastructure in June 2025, exploited weak update verification controls to selectively redirect update requests from specific users to malicious servers. The campaign, which went undetected until December 2, 2025, involved the deployment of a custom backdoor dubbed “Chrysalis.” This sophisticated attack chain highlighted the urgent need for a comprehensive security overhaul.

In response, Notepad++ has implemented a series of additional security measures to fortify its auto-updater. These include the removal of libcurl.dll to eliminate DLL side-loading risks, the elimination of two unsecured cURL SSL options (CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE), and the restriction of plugin management execution to programs signed with the same certificate as WinGUp. These changes represent a significant leap forward in the software’s security posture.

The Notepad++ team has also taken immediate action to address the vulnerabilities exploited in the attack. This includes switching to a new hosting provider, rotating credentials, and fixing the flaws that allowed the compromise. Users are strongly advised to upgrade to version 8.9.2 and ensure that installers are always downloaded from the official notepad-plus-plus.org domain.

The visual comparison of the vulnerable update model (left) and the new, secure model (right) illustrates the stark contrast between the old and new systems. The new model, with its double-lock mechanism, represents a quantum leap in security, effectively neutralizing the threats that once plagued the software.

As cyber threats continue to evolve, Notepad++’s proactive approach to security serves as a model for other software developers. By prioritizing user safety and implementing cutting-edge security measures, Notepad++ has reaffirmed its commitment to providing a secure and reliable tool for millions of users worldwide.

Tags: Notepad++, double-lock, update security, supply-chain attack, Lotus Blossom, Chrysalis, XMLDSig, DLL side-loading, cURL SSL, WinGUp, cyber threat, software security, open-source, Notepad++ 8.9.2

Viral Phrases: “Revolutionary ‘double-lock’ update mechanism,” “Effectively unexploitable update process,” “Quantum leap in security,” “Proactive approach to security,” “Model for other software developers,” “Cutting-edge security measures,” “Reaffirmed commitment to user safety,” “Millions of users worldwide,” “Sophisticated attack chain,” “State-linked threat group,” “Custom backdoor dubbed ‘Chrysalis,'” “Vulnerabilities exploited in the attack,” “New hosting provider, rotating credentials,” “Official notepad-plus-plus.org domain,” “Visual comparison of the vulnerable update model,” “Stark contrast between old and new systems,” “Evolving cyber threats,” “Beloved open-source text and source code editor,” “Meticulous development,” “Groundbreaking security enhancement,” “Pivotal moment in the software’s ongoing battle,” “Impenetrable barrier against supply-chain attacks,” “Comprehensive security overhaul,” “Fortify its auto-updater,” “Eliminate DLL side-loading risks,” “Restriction of plugin management execution,” “Signed with the same certificate as WinGUp,” “Strongly advised to upgrade,” “Secure and reliable tool,” “Model for other software developers,” “Prioritizing user safety,” “Implementing cutting-edge security measures,” “Reaffirmed commitment to user safety,” “Millions of users worldwide.”

,