Notepad++ declares hardened update process ‘effectively unexploitable’
Summary
Notepad++ 8.9.2 introduces a “Double‑Lock” update design that verifies both the signed XML instructions fetched from notepad-plus-plus.org and the signed installer payload. This builds on prior work in 8.8.9 that added installer signature checks. The changes aim to close the supply‑chain vector abused in a recent targeted attack attributed to the Lotus Blossom espionage crew.
The project also hardened its WinGUp auto‑updater: removed the libcurl.dll dependency to prevent DLL side‑loading, restricted plugin‑management execution to code signed with the same certificate as WinGUp, and removed two insecure cURL SSL options (CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE). Users can opt out of the auto‑updater at install time or deploy the MSI with NOUPDATER=1.
Key Points
- Version 8.9.2 verifies the signed XML update manifest and the signed installer, creating two independent checks.
- The update hardening follows a supply‑chain hijack that redirected some update traffic to an attacker‑controlled server serving malware.
- WinGUp changes: removal of libcurl.dll (to avoid DLL side‑loading), tightened plugin execution to same certificate, and removal of insecure cURL SSL options.
- Hardened releases were rolled out in December 2025; 8.9.2 enforces certificate and signature verification.
- Users may disable the auto‑updater during installation or use msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1 for MSI deployments.
Context and Relevance
The update is a direct response to a real supply‑chain compromise attributed to a state‑linked actor. It exemplifies a trend towards layered verification for software updates: signing both instructions (update manifests) and payloads (installers) to reduce the risk of man‑in‑the‑middle or server‑side hijacks. Organisations that manage many Windows workstations should note the measures and consider immediate updating or controlled MSI deployment.
Why should I read this?
Short version: if you (or your users) run Notepad++, update now. The app was hit by a targeted supply‑chain attack and the developer has plugged the obvious holes with what they call a practically unexploitable update flow. Saves you the hassle of dealing with booby‑trapped updates — and yes, that’s a proper relief.
Author style
Punchy. This isn’t just another version bump — it’s a security fix born from a targeted compromise. If you care about endpoint hygiene or supply‑chain risk, the details matter and are worth a quick read.