Notepad++ Secures Update Channel Following Supply Chain Compromise Vulnerability

Post Views: 13

Notepad++ Bolsters Update Security Following Supply Chain Breach

Notepad++, a widely-used text and source code editor for Windows, has taken steps to secure its update mechanism after it was hijacked by attackers last year.

Compromise and Vulnerabilities

The compromise, which was confirmed by Notepad++ maintainer Don Ho earlier this month, allowed malicious actors to intercept communications between the updater client and the Notepad++ update servers.

The attackers exploited several weaknesses in the update process, including the lack of verification of the code signing certificate and signature on the XML file containing the update instructions. This vulnerability existed in versions of Notepad++ prior to v8.8.8, which was released on November 18, 2025. Additionally, before the release of v8.8.9 on December 9, 2025, the WinGUp updater did not validate the signature on the XML file.

Security Enhancements

To address these vulnerabilities, the latest version of Notepad++, v8.9.2, includes verification of the signed XML file that instructs the updater where to look for the update. This security enhancement builds on the improvements introduced in v8.8.8 and v8.8.9.

According to Ho, the verification of the signed XML and signed installer provides an additional layer of security to the update process.

Furthermore, the WinGUp updater has been strengthened by removing the libcurl.dll dependency, which eliminates the risk of DLL side-loading. Two insecure cURL SSL options have also been disabled, and plugin management execution is now restricted to programs signed with the same certificate as WinGUp.

Supply Chain Compromise

The Notepad++ supply chain compromise occurred in June 2025, when the software project’s shared hosting server was hacked. The attackers lost access to the server in early September 2025, but retained credentials for the project’s internal services until early December 2025.

During this time, researchers from Rapid7 and Kaspersky analyzed the malicious update and execution chains mounted by the attackers, which resulted in the installation of Cobalt Strike Beacon payloads and/or the Chrysalis backdoor.

Recommendation

Initially, it was believed that the attackers only targeted organizations in Southeast Asia and South America. However, Palo Alto Networks discovered that organizations in the US and Europe also received malicious updates. As a result, all Notepad++ users are advised to upgrade to the latest version as soon as possible to ensure the security of their systems.