What happened
Notepad++ released version 8.9.2 introducing a new “double-lock” update security mechanism to prevent malicious tampering with software updates after a prior supply chain compromise. The new process verifies both the digitally signed installer hosted on GitHub and a separately signed XML file provided by the official update server at notepad-plus-plus.org, ensuring update integrity. Additional protections include removing libcurl.dll to prevent DLL sideloading, disabling insecure SSL configurations, and restricting plugin execution to trusted signed programs. These security enhancements were implemented following a campaign attributed to the Lotus Blossom threat group, which compromised update infrastructure between June and December 2025 to distribute malicious update payloads.
Who is affected
Users and organizations running older versions of Notepad++, particularly those relying on automatic update mechanisms, are affected if they have not upgraded to the latest release with enhanced update verification protections.
Why CISOs should care
The changes highlight how compromised software update infrastructure can be exploited to distribute malware through trusted applications, reinforcing the importance of secure update verification mechanisms.
3 practical actions
- Upgrade Notepad++ immediately. Install version 8.9.2 or later to enable the new double-lock update verification protections.
- Verify update sources. Ensure installers are downloaded only from official Notepad++ infrastructure.
- Review enterprise update controls. Confirm software update processes enforce strict signature and integrity validation.