Notepad++ has rolled out a “double-lock” update verification in version 8.9.2 that checks both the GitHub-signed installer and an XMLDSig-signed XML from notepad-plus-plus.org to prevent supply-chain tampering. The change follows a six-month compromise attributed to the Lotus Blossom group that used the Chrysalis backdoor, and users are urged to upgrade to 8.9.2 and download installers only from the official domain. #NotepadPlusPlus #LotusBlossom
Keypoints
- Notepad++ introduced a “double-lock” update mechanism in v8.9.2 combining GitHub installer verification and XMLDSig-signed update XML.
- The update fixes address a six-month supply-chain compromise attributed to the Lotus Blossom group that deployed the Chrysalis backdoor.
- The auto-updater was hardened by removing libcurl.dll, eliminating unsafe cURL SSL options, and restricting plugin management execution to programs signed with WinGUp’s certificate.
- The project migrated hosting providers, rotated credentials, and patched the flaws exploited in the attacks.
- Users should upgrade to v8.9.2, download installers only from notepad-plus-plus.org, or disable the auto-updater using NOUPDATER=1 when deploying the MSI.