News: 1771418486

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Notepad++ declares hardened update process 'effectively unexploitable'

(2026/02/18)


Notepad++ has continued beefing up security with a release the project's author claims makes the "update process robust and effectively unexploitable."

[1]Version 8.9.2 adds verification of the signed XML returned by notepad-plus-plus.org . Combined with verification of the signed installer, introduced in version 8.8.9, the update process now validates both the instructions and the payload - the basis for the "unexploitable" claim.

[2]According to the project's author, a state-sponsored cybercriminal compromised the editor's update service. Security researchers [3]attributed the attack to a Chinese government-linked espionage crew called Lotus Blossom. The hack selectively redirected some update traffic to an attacker-controlled site serving malware disguised as a legitimate update to victims.

[4]

A "hardened" version of the editor was released on December 9, 2025, followed by a release that dropped the use of a self-signed certificate on December 27. With laudable transparency, the project's author followed up the releases with a post explaining what had happened, stating that the upcoming version 8.9.2 would enforce certificate and signature verification. Less than a month later, here we are.

[5]Notepad's new Markdown powers served with a side of remote code execution

[6]Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor

[7]Notepad++ update service hijacked in targeted state-linked attack

[8]Notepad will now tell you all the ways Microsoft has enshittified it

The author also noted additional hardening for the auto-updater, WinGUp. The libcurl.dll dependency was removed "to eliminate DLL side-loading risk," plugin management execution has been restricted to the program signed with the same certificate as WinGUp, and two unsecured cURL SSL options, CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE , have been removed.

The author added: "Of course, it's always possible to exclude the auto-updater during the UI installation, or to deploy the MSI package using the following command: msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1 ."

[9]

Updating to the latest version would therefore seem prudent.

The "Double-Lock" design is intended to make the Notepad++ update process more robust, although the "effectively unexploitable" statement feels a little like a gauntlet being thrown at the feet of miscreants. ®

Get our [10]Tech Resources



[1] https://notepad-plus-plus.org/news/v892-released/

[2] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/

[3] https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZXwMqCBdMEen3oeUohMIgAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://www.theregister.com/2026/02/11/notepad_rce_flaw/

[6] https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/

[7] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/

[8] https://www.theregister.com/2026/01/22/microsoft_notepad_update/

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZXwMqCBdMEen3oeUohMIgAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[10] https://whitepapers.theregister.com/


author claims makes the "update process robust and effectively unexploitable."

Guy de Loimbard

Be careful with opening lines like that!

I'm sure there are one or two miscreants that would like to test that theory out, just for the kudos if they can prove the opposite!

"effectively unexploitable."

MiguelC

Followed by the usual "hold my beer" moment

We usually skirt around the 'nation state attacker' threat because its too compex and expensive

Aaiieeee

So I do not hold it against Notepad++ one bit. Plus they made their update process better and did it quickly. Full marks from me.

From my perspective, if China wanted in then they were going to get it.

I look forward to the security bounty announcement

IglooDame

It certainly sounds to me like they've tightened it up well, and I do understand that it's free (donateware) software, but I'm curious as to whether they'd consider offering a bounty to encourage checking their work in a more substantial way than just waving an implicit challenge at all the devious and cynical folk out there who'd enjoy showing them up.

Anonymous Coward

Just a few months ago, whilst his site and app update process was bang in the middle being compromised and controlled by a third-party (which he wouldn't realise himself until months later), the joker in charge of Notepad++ decided he wasn't going to pay for a signing certificate anymore, so he told his user base that he was going to sign his own software with his own certificate, and encouraged his user-base to add his signing cert, which he shipped with his exe, to their trusted root certificate store.

https://notepad-plus-plus.org/news/v883-self-signed-certificate/

This is not a serious developer. This is not a serious product.

John_Ericsson

"effectively unexploitable"

Did he also shout out "nothing can go wrong now!"

Blackjack

So they are basically daring the hackers to hack them?

<Culus-> I will be known as Ian Black, Ean can be Ian Red, Netgod Ian Blue,
Che gets Ian Yellow, CQ is Ian Purple and Joey is Ian Indigo
-- Some #Debian channel