In a release, Notepad++ said version 8.9.2 implements a “double-lock” update mechanism to address a supply-chain compromise that redirected some update requests for about six months beginning in June 2025.
KEY FACTS
- Incident Update infrastructure was compromised and served malicious updates
- Fix Double-lock verification in Notepad++ 8.9.2
- Duration Compromise ran from June 2025 until discovery on December 2, 2025
- Action Users should upgrade and use installers from notepad-plus-plus.org
The double-lock design requires two independent checks. The updater verifies the signed installer retrieved from GitHub and validates a digitally signed XML file returned from the notepad-plus-plus.org update service using XMLDSig.
Other updater changes remove libcurl.dll to reduce DLL side-loading risk and drop two unsecured cURL SSL options named CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE. Plugin management is limited to programs signed with the same certificate as WinGUp. The MSI can be deployed without the auto-updater using msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1.
The update infrastructure was compromised after the hosting provider that ran the updater was taken over in June 2025. The attacker selectively redirected update requests to malicious servers until the activity was discovered on December 2, 2025. The campaign lasted roughly six months and involved a custom backdoor called Chrysalis and is attributed to the Lotus Blossom group.
The project switched hosting providers, rotated credentials, and fixed the flaws exploited in the attacks. The release recommends that all users upgrade to 8.9.2 and download installers only from the official notepad-plus-plus.org domain.
WHY IT MATTERS
Stronger update verification reduces the risk that a compromised host can deliver malicious installers to users. Upgrading and using the official download source restores the intended security checks and limits future supply-chain tampering.