{"id":7155,"date":"2026-02-18T22:18:27","date_gmt":"2026-02-18T22:18:27","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7155"},"modified":"2026-02-18T22:18:27","modified_gmt":"2026-02-18T22:18:27","slug":"notepad-author-says-fixes-make-update-mechanism-effectively-unexploitable","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7155","title":{"rendered":"Notepad++ author says fixes make update mechanism \u2018effectively unexploitable\u2019"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The recently compromised update mechanism for the popular open source text editor Notepad ++ has been hardened so it\u2019s now \u2018effectively unexploitable\u2019, says the application\u2019s author.<\/p>\n<p><a href=\"https:\/\/notepad-plus-plus.org\/author\/\" target=\"_blank\" rel=\"noopener\">Don Ho<\/a> made the claim this week after <a href=\"https:\/\/notepad-plus-plus.org\/news\/v892-released\/\" target=\"_blank\" rel=\"noopener\">the release of version 8.9.2<\/a> of Notepad++, which includes a double-lock verification that any download of the tool from this point on is genuine. The latest version verifies the signed XML returned by the update server in addition to the first step of the hardening in version 8.8.9, released in December, which verifies the authenticity of the signed installer downloaded from GitHub.<\/p>\n<p>The application auto-updater has also been reinforced.<\/p>\n<p>These actions aren\u2019t foolproof, Ho admits in his blog, because it\u2019s possible to exclude the auto-updater during the UI installation, or to deploy the installer with a specific command specifying the updater not be used.<\/p>\n<p>In an email today to <em>CSOonline<\/em>, Ho said that no system can ever be declared absolutely unbreakable, \u201cbut the new design dramatically raises the bar.\u201d<\/p>\n<p>An attacker must now compromise both the hosting infrastructure and the signing keys, he explained, adding that the updater now validates both the manifest and the installer, each with independent cryptographic signatures. And any mismatch, missing signature, or certificate anomaly causes the update to abort automatically. <\/p>\n<p>\u201cThis layered verification makes the update chain resilient even in the face of future infrastructure\u2011level compromises,\u201d he concluded.<\/p>\n<h2 class=\"wp-block-heading\">Another supply chain attack<\/h2>\n<p>One reason the compromise went undetected for so long is that only a small number of downloaders \u2014 far less than 0.1%\u00a0 \u2014 were specifically targeted by the attackers, Ho said, and the attackers were very cautious. \u201cTheir goal was long\u2011term espionage,\u201d he noted, \u201cso they acted quietly and deliberately to remain undetected for as long as possible.\u201d<\/p>\n<p>Compromising the update mechanism of an application is a classic way for a threat actor to infiltrate dozens, hundreds, or thousands of organizations that unwitting then use the hacked version of the software. One of the most notorious examples was the 2019\/2020 compromise of the <a href=\"https:\/\/www.csoonline.com\/article\/570191\/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html\" target=\"_blank\" rel=\"noopener\">update infrastructure of Solarwinds\u2019 Orion<\/a> network monitoring suite. Another was the 2017 <a href=\"https:\/\/www.csoonline.com\/article\/573049\/5-years-after-notpetya-lessons-learned.html\" target=\"_blank\" rel=\"noopener\">NotPetya attack<\/a> that spread around the world after a Ukrainian tax application was hacked.<\/p>\n<p>The Notepad++ problem began <a href=\"https:\/\/www.csoonline.com\/article\/4126269\/notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack.html\" target=\"_blank\" rel=\"noopener\">with the discovery<\/a> that the IT infrastructure hosting Notepad++ had been compromised in June 2025, and a custom backdoor had been installed in the application. In the highly-targeted attack, traffic from certain users was selectively redirected to attacker-controlled servers by the malicious updates. <a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\/\" target=\"_blank\" rel=\"noopener\">Researchers at Rapid7 believe<\/a> a China-based group dubbed Lotus Blossom was behind the attack.<\/p>\n<p>The now former hosting provider believes the shared hosting server was compromised from June to September of 2025. However, even after losing server access, the attackers maintained credentials to internal services until December 2, 2025, allowing the continued redirection of Notepad++ update traffic. With the release of Notepad++ version 8.8.9, and the security hardening, all attacker access was terminated. Version 8.9.1 had even more security enhancements, and this week\u2019s version 8.9.2 instituted the double-lock process.<\/p>\n<h2 class=\"wp-block-heading\">Lessons learned<\/h2>\n<p>\u201cDevelopers must plan for adversaries who are patient, sophisticated, and selective,\u201d Ho said. Infrastructure is part of your attack surface, he pointed out; even if your code is secure, a weak link in hosting, DNS, or a content delivery network (CDN) can undermine everything. \u201cContinuous monitoring and strict credential hygiene are essential,\u201d he said, and application developers must assume that partial compromise is possible and design applications and their delivery and update mechanisms for failure.<\/p>\n<p>And if there is a compromise, he added, rapid disclosure, detailed technical explanations, and prompt fixes help users understand the scope and maintain confidence in the project.<\/p>\n<p><a href=\"https:\/\/www.forrester.com\/analyst-bio\/jeff-pollard\/BIO10584\" target=\"_blank\" rel=\"noopener\">Jeff Pollard<\/a>, who\u00a0leads Forrester Research\u2019s work on the role of the CSO, said the fixes \u201csignificantly reduce\u201d the risk of this specific failure mode recurring. But, he added, no single change \u2018solves\u2019 all supply chain risks. Attackers can shift to other choke points such as build pipelines or signing keys, he pointed out. \u201cThe key takeaway is that Notepad++ closed the exploited gap and raised the attacker cost,\u201d he said.<\/p>\n<p>Small utilities like Notepad++ usually sit outside of procurement, inventory, and third party risk management controls, he said, which is why they are ubiquitous among technical users, and valuable targets for adversaries.<\/p>\n<p>\u201cAsset management and software inventory is a perpetual problem for enterprises, but this event demonstrates why it\u2019s so important to understand all the software in your environment, no matter how big or small it is,\u201d he said.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/douglas-mckee-77460677\/\" target=\"_blank\" rel=\"noopener\">Douglas McKee<\/a>, Rapid7\u2019s senior director of vulnerability intelligence, said the Notepad++ supply chain incident underscores a broader evolution in how threat actors think about software trust and persistence. While updates to the Notepad++ distribution mechanism and the release of version 8.9.2 with enhanced double-lock update security help close the specific vulnerability exploited in this campaign, they do not on their own solve the systemic problem of modern supply chain risk.<\/p>\n<p>\u201cWhat this incident makes clear, and what organizations must internalize, is that supply chain security cannot be limited to source code and build systems,\u201d he said. \u201cAttackers targeted hosting infrastructure and update delivery flows outside of the project\u2019s direct control. Only by reinforcing signature and certificate validation, and treating update infrastructure as part of the attack surface, can defenders meaningfully reduce exposure.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The recently compromised update mechanism for the popular open source text editor Notepad ++ has been hardened so it\u2019s now \u2018effectively unexploitable\u2019, says the application\u2019s author. Don Ho made the claim this week after the release of version 8.9.2 of Notepad++, which includes a double-lock verification that any download of the tool from this point [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7156,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7155"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7155"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7156"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}