zlacker

[return to "Notepad++ hijacked by state-sponsored actors"]
1. tech23+V3[view] [source] 2026-02-02 02:39:08
>>myster+(OP)
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
◧◩
2. bakugo+F4[view] [source] 2026-02-02 02:48:43
>>tech23+V3
So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?

Something doesn't seem right here.

◧◩◪
3. adzm+d6[view] [source] 2026-02-02 03:04:14
>>bakugo+F4
Code signing certs are unfortunately expensive
◧◩◪◨
4. Chaosv+cab[view] [source] 2026-02-05 01:32:53
>>adzm+d6
You don't even need a certificate to prevent update tampering like this. The updates could have shipped with an ECDSA signature and this wouldn't have happened. It's also free and doable in an afternoon.
[go to top]