2026-02-16
“the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.“
As promised in the announcement Notepad++ Hijacked by State-Sponsored Hackers, this release strengthens the weakest links in Notepad++ update process.
Below is an illustration of how the Notepad++ update mechanism was previously hijacked:
With security enhancements introduced in v8.8.9 & v8.9.2 (this version), this vulnerability is now fully addressed:
As shown in the diagram above, 2 independent signature & certificate vérifications are now performed:
- Verification of the signed XML returned by notepad-plus-plus.org - implemented in this release (v8.9.2).
- Verification of the signed installer downloaded from github.com already implemented in v8.8.9.
This “double lock” design makes the Notepad++ update process robust and effectively unexploitable.
In addition to this major hardening, WinGUp (the auto-updater) has been also reinforced:
- Removed the
libcurl.dlldependency to eliminate DLL side-loading risk. - Removed 2 unsecured cURL SSL options:
CURLSSLOPT_ALLOW_BEAST&CURLSSLOPT_NO_REVOKE. - Restricted plugin management execution to program signed with the same certificate as WinGUp (i.e. only signed Notepad++).
Of course, it’s always possible to exclude the auto-updater during the UI installation, or to deploy the MSI package using the following command:
msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1
The full list of improvements for version 8.9.2, along with the download link, is available here:
Regression and critical bug report here:
https://community.notepad-plus-plus.org/topic/27412/notepad-v8-9-2-release
Do more to stop war - keep helping Ukraine
