Software updates usually keep us safe, but what happens when hackers hijack the update process itself? This is exactly what happened to Notepad++ during a sophisticated attack in 2025. To solve this, the developers created a new "Double-Lock" security mechanism in version 8.9.2.
Read on to learn why Notepad++ v8.9.2 introduced the 'Double-Lock' security mechanism and how it protects your computer from hijacked updates.
Table of Contents
The Problem: A Hijacked Update Path
Between June and December 2025, a state-sponsored group targeted the Notepad++ update system. These attackers did not find a bug in the Notepad++ code. Instead, they compromised the hosting provider's infrastructure.
Because older versions of Notepad++ did not verify the security certificates of downloaded files, the attackers could redirect users to malicious servers. Consequently, targeted users received a custom backdoor called Chrysalis instead of a real update.
The Solution: The "Double-Lock" Design in Notepad++ 8.9.2
The developers introduced the "Double-Lock" design in Notepad++ version 8.9.2 to make the update process "robust and effectively unexploitable". This system relies on two independent layers of verification:
- Lock 1: Verification of Signed XML. When your computer asks for an update, the server sends back an XML file with instructions. Version 8.9.2 now checks the integrity and authenticity of this XML using a digital signature (XMLDSig). This ensures no one tampered with the update instructions.
- Lock 2: Verification of the Signed Installer. After downloading the actual update file from GitHub, the software checks the digital signature of the installer itself. This verification step ensures the file truly comes from the Notepad++ authors.
By using these two locks, the software ensures that both the "map" (the XML) and the "package" (the installer) are legitimate.
Extra Security Enhancements
Beyond the Double-Lock, the team reinforced the WinGUp auto-updater tool in several ways:
- Removed libcurl.dll: They removed this dependency to stop "DLL side-loading" risks, which hackers often use to hide malware.
- Tightened Plugin Rules: The system now only allows plugin management if the program has a trusted signature from the developer.
- Closed SSL Holes: They removed unsecured options in the updater to prevent older types of web attacks.
Manually Update Notepad++ to Secure Your System
If you are running a version of Notepad++ older than 8.9.1, you must take action. Follow these steps to stay safe:
- Avoid the Internal Updater: Do not use the "Check for Updates" feature in old versions, as hackers once used this path to spread malware.
- Update Manually: Go to the official Notepad++ website and manually download version 8.9.1 or higher.
- Verify Your Installation: Ensure you are using the latest version (v8.9.2) to benefit from the full Double-Lock protection. You can check by clicking "About Notepad++" in the Help menu to see if you have the 8.9.2 security features.
The Notepad++ team has now moved to a more secure hosting provider and closed the technical gaps used in the 2025 attack. By updating manually today, you can ensure your coding environment remains a safe place to work.
