102/69 Thursday, February 19, 2026
Notepad++ has released version 8.9.2 to address vulnerabilities in its automatic update system that were previously exploited in a supply chain attack. The new release introduces a “Double-lock” security mechanism, implementing two layers of verification:
- Validation of the digitally signed installer distributed via GitHub.
- Verification of the XML digital signature (XMLDSig) obtained from the official domain notepad-plus-plus.org.
This dual-verification process ensures that update files delivered to users have not been tampered with or replaced by malicious actors.
Beyond the double-layer validation, version 8.9.2 includes additional security enhancements. The update removes libcurl.dll to reduce the risk of DLL side-loading attacks, eliminates potentially risky cURL SSL options, and restricts plugin management so that only programs signed with the same certificate as WinGUp can execute. System administrators also have the option to disable automatic updates during installation or via MSI package configuration.
These security improvements follow the discovery that Notepad++’s update infrastructure was compromised by the threat group Lotus Blossom between June and December 2025. During that period, attackers redirected some users’ update requests to malicious servers to deliver a backdoor malware named Chrysalis. The project has since migrated hosting providers and reset all credentials. Users are strongly advised to upgrade to version 8.9.2 immediately and download installers only from the official website to ensure security.
