Security News

Cybersecurity news aggregator

📦
MEDIUM Updates The Register Security

Notepad++ declares hardened update process 'effectively unexploitable'

notepad++supply-chainlotus-blossom
  • What: Notepad++ released version 8.9.2 with enhanced security measures to prevent supply chain attacks on its update process.
  • Impact: The update process now validates both the instructions and the payload, making it more robust against compromise.
Read Full Article →

Notepad++ has continued beefing up security with a release the project's author claims makes the "update process robust and effectively unexploitable." Version 8.9.2 adds verification of the signed XML returned by notepad-plus-plus.org . Combined with verification of the signed installer, introduced in version 8.8.9, the update process now validates both the instructions and the payload - the basis for the "unexploitable" claim. According to the project's author, a state-sponsored cybercriminal compromised the editor's update service. Security researchers attributed the attack to a Chinese government-linked espionage crew called Lotus Blossom. The hack selectively redirected some update traffic to an attacker-controlled site serving malware disguised as a legitimate update to victims. A "hardened" version of the editor was released on December 9, 2025, followed by a release that dropped the use of a self-signed certificate on December 27. With laudable transparency, the project's author followed up the releases with a post explaining what had happened, stating that the upcoming version 8.9.2 would enforce certificate and signature verification. Less than a month later, here we are. Notepad's new Markdown powers served with a side of remote code execution Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor Notepad++ update service hijacked in targeted state-linked attack Notepad will now tell you all the ways Microsoft has enshittified it The author also noted additional hardening for the auto-updater, WinGUp. The libcurl.dll dependency was removed "to eliminate DLL side-loading risk," plugin management execution has been restricted to the program signed with the same certificate as WinGUp, and two unsecured cURL SSL options, CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE , have been removed. The author added: "Of course, it's always possible to exclude the auto-updater during the UI installation, or to deploy the MSI package using the following command: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1 ." Updating to the latest version would therefore seem prudent. The "Double-Lock" design is intended to make the Notepad++ update process more robust, although the "effectively unexploitable" statement feels a little like a gauntlet being thrown at the feet of miscreants. ® More about Security Software More like these More about More about Security Software More like these TIP US OFF Send us news

Related Articles

HIGH China-based espionage group compromised Notepad++ for six months CyberScoop HIGH Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor The Register Security HIGH Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group The Hacker News HIGH Notepad++ supply chain attack: Researchers reveal details, IoCs, targets Help Net Security
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn