Ethical Hacking News
Notepad++ has introduced a highly anticipated 'double-lock' design for its update mechanism in order to address the recent supply-chain compromise that resulted from weak update verification controls. The new double-lock system is designed to ensure users receive legitimate and secure updates, thereby boosting overall security against various types of attacks.
Notepad++ has introduced a new "double-lock" design for its update mechanism to address security gaps. The double-lock system involves two verification mechanisms: checking the signed installer from GitHub and an XML digital signature (XMLDSig) from the notepad-plus-plus.org domain. The software also includes additional security measures, such as removing libcurl.dll and certain unsecured cURL options. A critical vulnerability in Notepad++'s update infrastructure was recently disclosed by Rapid7 researchers. The vulnerability was exploited for six months, but the development team has since addressed these security gaps with new measures.
Notepad++ has recently introduced a highly anticipated "double-lock" design for its update mechanism, aimed at addressing the security gaps that resulted in a supply-chain compromise. The new mechanism, which landed in version 8.9.2 of the software, was announced yesterday, following work on it since version 8.8.9.
The double-lock system is a result of not one, but two verification mechanisms. The first part of this system involves checking the signed installer from GitHub, thereby ensuring that any updates downloaded from the official website are legitimate and have not been tampered with during transmission. This provides a degree of assurance that users will receive a secure update package.
The second part of the double-lock system involves checking the signed XML file returned by the Notepad++ update service from the notepad-plus-plus.org domain, also known as an XML digital signature (XMLDSig). The combination of both verification mechanisms adds to a more robust "and effectively unexploitable" update process, as stated by the team behind the software.
Apart from the newly introduced security measures, the project has taken additional steps to enhance the overall security posture of the software. These include:
Removal of libcurl.dll to eliminate DLL side-loading risk
Removal of two unsecured cURL SSL options: CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE
Restriction of plugin management execution to programs signed with the same certificate as WinGUp
These measures add an extra layer of protection against various types of attacks, making it increasingly difficult for malicious actors to compromise the software.
In early December 2025, a critical vulnerability in Notepad++'s update infrastructure was disclosed by Rapid7 researchers. The vulnerability, known as a supply-chain compromise, resulted from weak update verification controls used in older versions of the software. This vulnerability had been exploited for six months, with attacks attributed to Lotus Blossom, a threat group linked to China.
The attackers started redirecting update requests from specific users to malicious servers, using a custom backdoor called "Chrysalis" as part of their attack chain. The fact that this vulnerability was not addressed by the software's original developers in time for its discovery is particularly noteworthy.
However, following Rapid7’s analysis and disclosure of the attacks, Notepad++’s development team has made significant efforts to address these security gaps. Apart from implementing the double-lock system for their update mechanism, they have also switched to a different hosting provider, rotated credentials, and fixed other vulnerabilities that were exploited in the discovered attacks.
The recommended action for all users of Notepad++ is to upgrade to version 8.9.2 as soon as possible. Additionally, it is essential that installers are always downloaded from the official domain, notepad-plus-plus.org, rather than any other source, to ensure that users receive a legitimate and secure update package.
The increasing importance of robust security measures in software development becomes increasingly apparent with each passing day, as demonstrated by Notepad++’s double-lock mechanism. As we move forward into an era where software vulnerabilities are being exploited at an unprecedented rate, it is crucial for developers to prioritize the implementation of robust security systems in their products.
This approach not only ensures that users receive secure software updates but also serves as a deterrent against potential attackers and mitigates their ability to launch targeted attacks. By prioritizing security measures like Notepad++’s double-lock mechanism, we can foster an environment where software development and deployment are both efficient and secure.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Double-Lock-Mechanism-Notepad-Boosts-Update-Security-Against-Exploited-Supply-Chain-Compromise-ehn.shtml
https://www.bleepingcomputer.com/news/security/notepad-plus-plus-boosts-update-security-with-double-lock-mechanism/
Published: Tue Feb 17 15:54:54 2026 by llama3.2 3B Q4_K_M
