Notepad Plus Plus applies a double lock to armored updates to supply chain attacks

The lessons left by the recent hijacking of the Notepad + + update infrastructure can be read in the very solution your development team has deployed: a two-layer verification logic that aims to close the windows that the attackers exploded for months. The version that incorporates this design, the 8.9.2, landed with changes thought out so that a simple manipulation of the update server is no longer enough to force the installation of malicious code.

In the background, the problem was classic in the supply chain campaigns: trust was based on a single link (the server that served the updates) and when that accommodation was compromised, the malicious actor could redirect certain users to trap servers. According to public research and media coverage, the intrusion lasted several months and ended up revealing a backdoor used by the "Chrysalis "-named attackers. For the Notepad + + team, the diagnosis was clear: the update had to be turned into something that did not depend on a single failure point. You can read the official ad in the version note published by Notepad + + and the coverage of the case BleepingComputer.

The central idea of the new mechanism, which its leaders have described as a "double lock," combines two different checks that must pass before an update is considered valid. On the one hand, the verification of the installer's signature hosted in GitHub; on the other, the verification of the digital signature of the XML file that returns the official domain update service. This second layer uses XML (XMLDSig) signatures to ensure that the update manifest has not been altered even if the server that delivers it has been manipulated. The XML Signature technical specification helps you understand how this verification works: W3C - XML Signature.

In practical terms this means that an attacker would need to simultaneously compromise the ability to sign valid installers (the private key that signs the binaries) and the authority that signs the XML manifests from the official site. That threshold of difficulty is precisely what makes the defense "much more robust" against attacks based solely on handling file accommodation.

In addition to double signature control, the update includes several corrections aimed at reducing classic operating vectors. libcurl.dll bookstore has been removed to minimize the risk of DLL ide-loading, cURL options that weakened TLS behavior in previous versions have been deleted, and the execution of plugin management operations has been limited to programs signed with the same certificate as the update (WinGup). These changes seek to close routes through which a legitimate component can be forced to load or run malicious code.

The project's response did not remain in code changes: the service was migrated to another hosting provider, credentials were rotated and the exploited weaknesses parched. The recommendation that both developers and analysts repeat is simple and urgent: update to version 8.9.2 and always download the installers from the official domain notepad-plus-plus.org. For business deployments or users who prefer not to use the self-update, the MSI installation allows to exclude the component with the NOUPDATER option = 1, for example: msiexec / i npp.8.9.2.Installer.x64.msi NOUPDATER = 1.

This incident is a reminder of how the software supply chains work today: the sophistication of the attackers has risen and therefore the defenses must incorporate redundancy and cryptographic verification on several levels. A single digital seal is no longer enough if the delivery process can be intervened; therefore the Notepad + + approach points to the need for each update to pass two independent controls before running on the user's equipment.

However, no arrangement is infallible on its own. The community and organizations should complement these improvements with good practices: manually verify signatures where possible, maintain controlled deployment policies in critical environments and monitor abnormal behaviour signals after an update. And, of course, rely only on official sources when downloading installers.

If you want to read the technical detail and the statement of the researchers who helped to reveal the campaign, the available press releases and public analysis give context to the tactic and duration of the attack. The news was widely covered by specialized means and the project itself, which has launched these countermeasures to reduce the likelihood that something like this will be repeated.

In summary: Notepad + + has hardened its update process with a two-level verification and other security measures; update to version 8.9.2 and always download from the official website is, for now, the best action any user can take.