zlacker

[return to "Notepad++ hijacked by state-sponsored actors"]
1. thisis+11[view] [source] 2026-02-02 02:10:11
>>myster+(OP)
Wow. I'd love to know more how the targeted systems were actually compromised.
◧◩
2. mapont+h5[view] [source] 2026-02-02 02:54:05
>>thisis+11
There is more detail linked below:

https://www.heise.de/en/news/Notepad-updater-installed-malwa...

https://doublepulsar.com/small-numbers-of-notepad-users-repo...

The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.

The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.

Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.

◧◩◪
3. metalc+T5[view] [source] 2026-02-02 03:00:52
>>mapont+h5
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?
◧◩◪◨
4. mapont+RZ[view] [source] 2026-02-02 12:46:56
>>metalc+T5
It would still have been less than ideal, but he might have gotten away with it if the private key wasnt stored within the public Github repo.
[go to top]