Notepad++ declares hardened update process 'effectively unexploitable'

Notepad++ adds double verification to updates

Notepad++ version 8.9.2 secures the software's update channel by requiring digital signature verification for both update instructions and the installer payload. This release follows a series of security hardening measures designed to prevent attackers from hijacking the application's automated update process.

The new "double-lock" system builds on version 8.8.9, which first introduced verification for the signed installer. Version 8.9.2 adds a second layer by validating the signed XML file returned by the notepad-plus-plus.org servers. This ensures that the instructions telling the app where to find an update are just as secure as the update file itself.

Project author Don Ho claims these combined measures make the update process effectively unexploitable. By validating both the metadata and the binary, the software can detect if a third party has intercepted the connection or tampered with the update files before they reach the user's machine.

State sponsored hackers targeted update traffic

The security overhaul follows a confirmed compromise of the Notepad++ update service by state-sponsored cybercriminals. Security researchers linked the intrusion to Lotus Blossom, a hacking group with ties to the Chinese government. The group specializes in regional espionage and has a history of targeting government and military entities.

Lotus Blossom used a selective redirection tactic to compromise specific users. The attackers identified target traffic and redirected it to a malicious server under their control. This server delivered malware disguised as a legitimate Notepad++ update, allowing the group to gain a foothold on victim machines.

The developers responded with a rapid release cycle to close the vulnerability. On December 9, 2025, the project released a hardened version of the editor to mitigate the immediate threat. A subsequent update on December 27, 2025, removed the use of self-signed certificates, which are easier for attackers to forge or bypass in certain network environments.

Hardening the WinGUp auto updater

The version 8.9.2 update includes significant changes to WinGUp, the open-source tool that handles Notepad++ updates. Developers removed the libcurl.dll dependency entirely to eliminate the risk of DLL side-loading. This common attack vector involves placing a malicious DLL file in the application's directory, which the program then loads instead of the legitimate system file.

The project also restricted how the editor manages plugins. Plugin management execution now requires a signature from the same certificate used for WinGUp. This prevents unauthorized third-party tools from piggybacking on the updater's elevated permissions to install malicious components.

The update also removes two specific cURL SSL options that previously weakened the security of encrypted connections. These removals ensure the updater maintains a modern security posture:

• CURLSSLOPT_ALLOW_BEAST: This option previously allowed older, less secure SSL 3.0 protocols that are vulnerable to the BEAST attack.
• CURLSSLOPT_NO_REVOKE: This option prevented the software from checking if a security certificate had been revoked by the issuing authority.
• Signed XML Verification: The application now checks the cryptographic signature of the XML response to ensure it originated from the official project server.
• Payload Validation: The installer binary must match the signature of the Notepad++ development team before execution begins.

Deployment options for IT administrators

Users who prefer to manage their own security can still bypass the automated update system during installation. The Notepad++ installer UI includes an option to exclude the auto-updater component entirely. This is a common choice for developers who work in air-gapped environments or high-security networks where manual patching is the standard.

For enterprise deployments, the project provides specific command-line flags to disable the update feature across multiple machines. System administrators can deploy the MSI package using a specific command to ensure the updater never runs on corporate workstations. This prevents individual users from accidentally triggering an update that has not been vetted by the internal IT team.

To install the 64-bit version without the updater, administrators should use the following command: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1. This flag ensures the software remains static until the next manual deployment. Given the recent history of targeted attacks against the update stream, the project author recommends that all users either update to 8.9.2 immediately or disable the updater entirely using these methods.

The risks of supply chain attacks

The targeting of Notepad++ highlights a growing trend of supply chain attacks against popular open-source utilities. Because Notepad++ is a staple tool for developers and system administrators, a compromised update can grant attackers access to sensitive environments. By injecting malware into a trusted update stream, hackers can bypass traditional perimeter defenses like firewalls.

The "unexploitable" claim for version 8.9.2 is a high bar in the security community. While the double-verification of XML and installers addresses the specific tactics used by Lotus Blossom, it does not account for potential future vulnerabilities in the code itself. However, the move to enforce certificate and signature verification brings the project in line with modern security best practices used by major software vendors.

The developer's decision to maintain transparency regarding the Lotus Blossom attack is a rare move for a small open-source project. By detailing the compromise and the subsequent hardening steps, the project has provided a roadmap for other utility developers facing similar threats. Users should check their current version by clicking ? > About Notepad++ and ensure they are running at least version 8.9.2 to benefit from these protections.