Notepad++ Enhances Update Security with Double-Lock Mechanism
Notepad++ Strengthens Update Security with Dual Verification Mechanism
Notepad++, a widely used open-source text and source code editor, has introduced a robust update security mechanism to prevent supply-chain attacks.
Double-Lock Mechanism
The new feature, dubbed “double-lock,” is designed to provide an additional layer of security to the update process. This change is part of the latest version, 8.9.2, released yesterday.
The double-lock mechanism involves two verification steps. Firstly, the signed installer from GitHub is verified, a feature that was introduced in version 8.8.9. Secondly, the signed XML file from the notepad-plus-plus.org domain is checked. This XML file is digitally signed using XMLDSig, ensuring the integrity of the update process.
By combining these two verification mechanisms, the Notepad++ team has created a more secure update process that is “effectively unexploitable.”
Additional Security Changes
In addition to the double-lock mechanism, the auto-updater has undergone several security-oriented changes. These include the removal of libcurl.dll to eliminate the risk of DLL side-loading, as well as the removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE.
Furthermore, plugin management execution is now restricted to programs signed with the same certificate as WinGUp.
Opting Out of Auto-Updater
Users can opt-out of the auto-updater during the UI installation process or deploy the MSI package with the NOUPDATER=1 flag. For instance, using the command “msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1” will install Notepad++ without the auto-updater.
Background
The introduction of the double-lock mechanism comes after a six-month-long campaign attributed to the Lotus Blossom threat group, linked to China, compromised the Notepad++ update infrastructure.
The attackers exploited weak update verification controls in older versions of the software, redirecting update requests from specific users to malicious servers.
The attacks, which began in June 2025, were discovered on December 2, 2025. Rapid7’s analysis revealed that the attackers used a custom backdoor called Chrysalis as part of the attack chain.
Response to Compromise
In response to the compromise, the Notepad++ project has switched to a different hosting provider, rotated credentials, and fixed the flaws exploited in the discovered attacks.
These measures, combined with the new double-lock mechanism, aim to provide a more secure update process for Notepad++ users.