zlacker

[return to "Notepad++ supply chain attack breakdown"]
1. Soeren+Wc[view] [source] 2026-02-03 23:45:55
>>natebc+(OP)
The WinGUp updater compromise is a textbook example of why update mechanisms are such high-value targets. Attackers get code execution on machines that specifically trust the update channel.

What's concerning is the 6-month window. Supply chain attacks are difficult to detect because the malicious code runs with full user permissions from a "trusted" source. Most endpoint protection isn't designed to flag software from a legitimate publisher's update infrastructure.

For organizations, this argues for staged rollouts and network monitoring for unexpected outbound connections from common applications. For individuals, package managers with cryptographic verification at least add another barrier - though obviously not bulletproof either.

◧◩
2. kijin+Wz[view] [source] 2026-02-04 02:14:58
>>Soeren+Wc
The lack of a well-known, well-designed package manager for Windows has always been a problem. Too many programs, including FOSS programs, are downloaded from suspicious-looking websites with tons of ads, and every app updates itself in a different way.

The crappy installation and update channels are often tightly integrated with the vendors' monetization strategies, so there's a huge amount of inertia.

Microsoft Store could have changed this situation, had it been better designed and better received. Unfortunately, nobody seems to use it unless they have no other choice.

WinGet looks much better, but so far it's only for developers and power users.

◧◩◪
3. pjc50+vv1[view] [source] 2026-02-04 10:41:16
>>kijin+Wz
The stupid thing is that a packaging system - MSI and later MSIX - has existed for a long time. But the tooling for it, to put things into packages, is a mess; nor is there a single tool even for Microsoft's own stuff. They really need to get onto dogfooding this stuff.

But then, in an environment dominated by corporate IT who have no real means of switching, why improve the product?

◧◩◪◨
4. 171862+3J1[view] [source] 2026-02-04 12:20:51
>>pjc50+vv1
The thing is that I trust the Debian maintainers, so I use dpkg to install my software. I do not trust Microsoft, so I use the browser to install software.
◧◩◪◨⬒
5. acdha+MO1[view] [source] 2026-02-04 13:01:47
>>171862+3J1
If you trust Microsoft enough to run their operating system, you trust them enough to develop a package manager.

Suppose, for example, that they caught up to where Debian was 30 years ago and Windows shipped with a default list of sources for the core OS to which you could add your internal or preferred partners (e.g. Adobe in many companies). Literally millions of systems wouldn’t have been compromised because they had unpatched apps. If they’d had a curated list of responsible vendors, multiple generations of people wouldn’t have been trained that it’s normal to run installers because a web page told you so.

[go to top]