The protection of Notepad++ after the major update hack is implemented through a dual‑lock system

What changed in the Notepad++ updates?

The developers of the popular text editor have implemented a “dual lock” for the update process to eliminate a vulnerability that caused users to sometimes receive malicious packages.

1. Implementation stages
Version Action Description
8.8.9 Start work on enhanced update reliability Implementation of the first layer of protection – checking the signed installer on GitHub.
8.9.2 Full deployment of the “dual lock” Added a second layer of protection – verification of an XML file with a digital signature (XMLDSig) from the domain *notepad-plus-plus.org*.
The combination of these two mechanisms makes the update practically invulnerable, as the developers note.

2. Additional security measures
Measure How to implement
Disable automatic updates Through the program’s graphical interface.
Command line
`msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1` – disables auto‑updates during MSI package installation.

3. Compromise history
* Period of compromised infrastructure – six months before detection.

* Group responsible for the breach – Lotus Blossom.

* Hackers gained access to the hosting service where the update component was stored and redirected requests from some users to their servers.

The breach was discovered on December 2, 2025 via the Chrysalis backdoor. After discovery the project changed hosting, updated credentials, and fixed the vulnerabilities used in the attack.

4. What users should do
1. Update the program to version 8.9.2 – this guarantees the presence of the dual lock.

2. Verify the download source – installer files must be downloaded from the official domain *notepad-plus-plus.org*.

These steps will help ensure that updates are received safely and without third‑party interference.