Double-Locked and Hardened: Inside the Notepad++ Fight Against the “Chrysalis” Supply Chain Attack

The architects of Notepad++ have disseminated security patch 8.9.2 to fortify vulnerabilities recently exploited by a sophisticated threat actor with suspected Chinese affiliations. These adversaries intercepted the update mechanism to selectively distribute deleterious payloads to high-value targets.

Project maintainer Don Ho announced the implementation of a “double-lock” authentication scheme, engineered to render the update trajectory resilient against unauthorized substitution. This framework employs a dual-verification process: since version 8.8.9, the application has validated the digital signature of installers retrieved from GitHub, and version 8.9.2 introduces an additional signature check for the XML response yielded by the update server at notepad-plus-plus.org.

Furthermore, the WinGUp auto-update component has undergone rigorous hardening. The removal of libcurl.dll mitigates the risk of binary hijacking, while the excision of two insecure SSL configurations within cURL bolsters transport security. Additionally, plugin management operations are now strictly confined to executables signed with a certificate identical to that of WinGUp.

Version 8.9.2 also remediates a high-severity flaw, CVE-2026-25926 (CVSS 7.3), involving an insecure search path vulnerability. By invoking Windows Explorer without an absolute file path, the application inadvertently permitted a local adversary in control of the working directory to execute a fraudulent explorer.exe, thereby facilitating arbitrary code execution within the application’s context.

This initiative follows a revelation weeks prior concerning a compromised hosting provider, which enabled attackers to intercept update traffic since June 2025. By redirecting specific queries to rogue servers, they delivered “poisoned” updates—an incident officially identified in early December 2025.

Research from Rapid7 and Kaspersky Lab has linked these tainted updates to the dissemination of a previously undocumented backdoor dubbed Chrysalis. This supply chain compromise is tracked as CVE-2025-15556 (CVSS 7.7) and is attributed to the group recognized as Lotus Panda. Users are strongly urged to transition to version 8.9.2 and to procure installers exclusively from the project’s official domain.