Notepad + + strengthens your updates with a double lock to a supply chain attack

A few weeks ago, Notepad + + officials announced a security update designed to close the doors that used advanced attackers to manipulate the program update mechanism and distribute malware to specific victims. Version 8.9.2 incorporates a reengineering of the process of updates and changes in the self-update to make it difficult for similar attacks in the future. You can read the official ad on the project website Notepad + + v8.9.2 and consult public discussion in the community in community.notepad-plus-plus.org.

The problem was not simply a local failure: the incident originated in an intrusion at the host level that allowed the attackers to redirect certain update requests to servers controlled by them. In doing so, they managed to get some users to receive manipulated installers that included an undocumented backdoor designed to pass unnoticed. Third-party research teams have related this operation to a group with connections to China and have identified the backdoor with the name Chrysalis; the public communication of the project and subsequent analysis attributed the incident to an actor known in cyber-threat investigations.

Notepad + +'s response was not limited to removing the committed packages. Developers introduced what they describe as a "double lock" design in the update flow: In addition to verifying the signature of the installer downloaded from GitHub, the XML signature that returns the update server is now also valid. This second layer of verification reduces the possibility that a manipulation of the network routes or the hosting provider may serve malicious instructions that appear to be legitimate.

In parallel, the component in charge of automatic updates - WinGup - received a number of technical hardships. Among the measures were removed bookstores and options that could facilitate dynamic load operation of DLLs or unsafe TLS configurations; libcurl.dll was deleted to avoid the risk of DLL side-loading, and cURL options associated with unsafe SSL / TLS practices were removed. The implementation of plugin management operations has also been limited to programmes that are signed with the same certificate as WinGup, which helps prevent unauthorized binaries from taking advantage of the plugin mechanism to execute malicious code.

In addition to the improvements in the self-update, the version fixes a high-gravity vulnerability (publicly referred to with the identifier indicated by the developers) that could allow code execution in the context of the application under certain conditions. Developers explain that the root of the problem is an "unsafe search route" type vulnerability when the Windows Explorer is launched without specifying the absolute route to the executable; this kind of weakness is listed by the security community as CWE-426 (Unsafe Search Path), and can be used if an attacker has control over the work directory of the process to get a malicious executable loaded instead of the legitimate one.

The incident was detected internally by project leaders in early December, although the manipulation of the update traffic began months earlier, according to the chronology published by Notepad + +. External researchers and security firms have analysed the samples and behavior of the malware deployed; equipment such as Rapid7 and Kaspersky have included the case in their supply chain threat research areas, which underlines the importance of examining not only the application code but also the services and suppliers that support their updates. You can consult general research resources at Rapid7 Research and on the threat analysis blog of Kaspersky to better understand this kind of campaign.

What should users do now? The basic and most urgent recommendation is update to version 8.9.2 and make sure that the downloads come from the official domain of the project. In addition, it is good practice to verify digital signatures of installers when the developer provides that mechanism, and to distrust installers obtained from unofficial mirrors or links sent by unknown third parties. Notepad + + has published the technical information on the corrections and how the attack routes have been mitigated in its safety repository in security advice in GitHub.

This episode reemphasizes that software supply chains are an attractive vector for motivated and resource actors, because allowing for update control offers an efficient way to compromise systems without the need to exploit each computer individually. The lesson for administrators and users is double: to strengthen controls at central points (suppliers, update servers, signatures and certificates) and to maintain digital hygiene including verified updates and the use of official sources.

If you are responsible for maintaining workstations or servers with Notepad + +, prioritize the installation of the update and review internal procedures for the download and verification of installers. Keeping attention to the integrity of updates is now as important as keeping the software up-to-date: both actions are complemented to reduce the risk that an apparent cause of security will become a real incident.