The widely used open-source text and code editor has released version\u00a0v8.9.2, introducing a major security enhancement known as the\u00a0\u201cDouble-Lock\u201d update mechanism.<\/p>\n
This update addresses vulnerabilities that were exploited in a recent state-sponsored attack\u00a0targeting the application\u2019s update infrastructure.<\/p>\n
Last month, Notepad++\u2019s official site confirmed that attackers had successfully hijacked<\/a> its update channel, allowing the distribution of a malicious update.<\/p>\n Following the incident, the development team promised to fortify the update verification process. That promise has now been fulfilled with the v8.9.2 release.<\/p>\n The latest release introduces<\/a>\u00a0XMLDSig (XML Digital Signature)\u00a0verification for update files.<\/p>\n The\u00a0XML returned by Notepad++\u2019s update server is now cryptographically signed, and both the signature and certificate will be verified before any updates are applied.<\/p>\n This means that, starting with v8.9.2, all future updates will only be accepted if they are verified against trusted Notepad++ certificates.<\/p>\n In addition to this measure, Notepad++ now performs two independent verifications forming what the developers describe as a\u00a0\u201cDouble-Lock\u201d update system:<\/p>\n Together, these measures create a resilient security model that prevents malicious interception or tampering of update files. The development team notes that this design effectively makes the update process \u201crobust and unexploitable.\u201d<\/p>\n The\u00a0WinGUp auto-updater, which manages update downloads and installations, has also undergone a significant security overhaul.<\/p>\n Key improvements include:<\/strong><\/p>\n Moreover, users who prefer manual update control can\u00a0turn off the auto-updater during installation\u00a0or use the MSI parameter:<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Notepad++ v8.9.2 Released with \u201cDouble-Lock\u201d Update Mechanism Following Recent Hack<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nStrengthening the Update Process<\/strong><\/h2>\n
![\"Fixed](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5FtnKTVbMYBu-QiM5khv0cbpNImF5QVK-3RCP4j1cW80tGzHVFY2ouj1pr1HXOg8ieONx9qAKQe8N6j3ZF-6AO1KJZ24U3kfPKflRdGysyTkxMOUn5j_emw3FED93V45oSYag9HMs4EMUp04HVN4idcCvvZZzszZ6fa4GXM0OuggN05RLKWG_-XdFLr8\/s1600\/Screenshot%25202026-02-18%2520120439%2520%25281%2529.webp?ssl=1\")
\n\n
\n \nVerification Layer<\/th>\n Source<\/th>\n Version<\/th>\n Purpose<\/th>\n<\/tr>\n<\/thead>\n \n XML Signature Verification<\/strong><\/td>\n Notepad++ official site<\/td>\n v8.9.2<\/td>\n Verifies signed update metadata (XML) to prevent tampering or spoofed update info.<\/td>\n<\/tr>\n \n Installer Signature Verification<\/strong><\/td>\n GitHub<\/td>\n v8.8.9<\/td>\n Validates installer digital signature to block modified or malicious binaries.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n WinGUp Auto-Updater Enhancements<\/strong><\/h2>\n
\n\n
\n \nCategory<\/th>\n Improvement<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n Update Security<\/strong><\/td>\n XMLDSig signing<\/td>\n Update XML files from Notepad++ server are digitally signed for integrity verification.<\/td>\n<\/tr>\n \n Double Verification<\/strong><\/td>\n Dual update validation<\/td>\n Signed XML (official site) + signed installer from GitHub.<\/td>\n<\/tr>\n \n Certificate Enforcement<\/strong><\/td>\n Strict signature checks<\/td>\n Certificates validated before updates install.<\/td>\n<\/tr>\n \n Auto-Updater Hardening<\/strong><\/td>\n Removed libcurl.dll<\/td>\n Eliminates DLL side-loading risk.<\/td>\n<\/tr>\n \n Stronger SSL<\/strong><\/td>\n Disabled weak cURL options<\/td>\n Enforces stricter TLS\/SSL validation.<\/td>\n<\/tr>\n \n Plugin Control<\/strong><\/td>\n Signed plugins only<\/td>\n Only plugins signed with official certificate allowed.<\/td>\n<\/tr>\n \n Stability & Transparency<\/strong><\/td>\n Bug fixes + public response<\/td>\n Improves stability and maintains open communication post-incident.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n msiexec \/i npp.8.9.2.Installer.x64.msi NOUPDATER=1<\/code><\/pre>\n