Not long ago, Notepad++ made headlines for the wrong reasons: its auto-update mechanism had been compromised by state-sponsored hackers, who managed to replace legitimate files with tampered versions. The development team began addressing the issue in previous releases, and with v8.9.2 they’ve fully plugged the hole.

The “double lock” that secures updates

The core vulnerability was a lack of robust authenticity checks during the update process. The fix comes in the form of two independent verification layers stacked on top of each other.

The first, introduced back in v8.8.9, covers the installer package downloaded from GitHub, which is now verified against a digital signature. The second, new in this release, targets the XML file that the update server sends to notify the app of a new version — that too is now signed and verified. Even if an attacker managed to tamper with one step, the other would hold.

WinGUp, the auto-updater component, has also been hardened: the libcurl.dll dependency is gone (a common vector for DLL side-loading attacks), two risky SSL options have been removed, and plugin management is now restricted to applications signed with the same certificate as Notepad++ itself.

What else is new

On the feature side, v8.9.2 introduces a redact selection option, handy for blanking out sensitive portions of text before sharing a screenshot. A handful of stability and security fixes round out the release.

Anyone who’d rather skip the auto-updater can deselect it during installation, or, for enterprise deployments, use the MSI package with the NOUPDATER=1 parameter.

Downloads are available on the official site.