Notepad++ has continued beefing up security with a release the project’s author claims makes the “update process robust and effectively unexploitable.”
Version 8.9.2 adds verification of the signed XML returned by notepad-plus-plus.org. Combined with verification of the signed installer, introduced in version 8.8.9, the update process now validates both the instructions and the payload – the basis for the “unexploitable” claim.
According to the project’s author, a state-sponsored cybercriminal compromised the editor’s update service. Security researchers attributed the attack to a Chinese government-linked espionage crew called Lotus Blossom. The hack selectively redirected some update traffic to an attacker-controlled site serving malware disguised as a legitimate update to victims.
A “hardened” version of the editor was released on December 9, 2025, followed by a release that dropped the use of a self-signed certificate on December 27. With laudable transparency, the project’s author followed up the releases with a post explaining what had happened, stating that the upcoming version 8.9.2 would enforce certificate and signature verification. Less than a month later, here we are.
The author also noted additional hardening for the auto-updater, WinGUp. The libcurl.dll dependency was removed “to eliminate DLL side-loading risk,” plugin management execution has been restricted to the program signed with the same certificate as WinGUp, and two unsecured cURL SSL options, CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, have been removed.
The author added: “Of course, it’s always possible to exclude the auto-updater during the UI installation, or to deploy the MSI package using the following command: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1.”
Updating to the latest version would therefore seem prudent.
The “Double-Lock” design is intended to make the Notepad++ update process more robust, although the “effectively unexploitable” statement feels a little like a gauntlet being thrown at the feet of miscreants. ®