zlacker

[return to "Notepad++ supply chain attack breakdown"]
1. ashish+q9[view] [source] 2026-02-03 23:29:06
>>natebc+(OP)
I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I'm running that tool in.

There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.

◧◩
2. troad+9b[view] [source] 2026-02-03 23:38:13
>>ashish+q9
MacOS has been getting a lot of flak recently for (correct) UI reasons, but I honestly feel like they're the closest to the money with granular app permissions.

Linux people are very resistant to this, but the future is going to be sandboxed iOS style apps. Not because OS vendors want to control what apps do, but because users do. If the FOSS community continues to ignore proper security sandboxing and distribution of end user applications, then it will just end up entirely centralised in one of the big tech companies, as it already is on iOS and macOS by Apple.

◧◩◪
3. ashish+kd[view] [source] 2026-02-03 23:48:45
>>troad+9b
It also has persistent permissions.

Think about it from a real world perspective.

I knock on your door. You invite me to sit with you in your living room. I can't easily sneak into your bed room. Further, your temporary access ends as soon as you exit my house.

The same should happen with apps.

When I run 'notepad dir1/file1.txt', the package should not sneakily be able to access dir2. Further, as soon as I exit the process, the permission to access dir1 should end as well.

◧◩◪◨
4. araes+Ce7[view] [source] 2026-02-05 22:15:49
>>ashish+kd
Attempt at real life version (starts with idea they are actually not trustworthy)

  - You invite someone to sit in your living room
    - There must have been a reason to begin with (or why invite them at all)
    - Implied (at least limited) trust of whoever was invited
  - Access enabled and information gained heavily depends on house design
    - May have to walk past many rooms to finally reach the living room
    - Significant chances to look at everything in your house
    - Already allows skilled appraiser to evaluate your theft worthiness
  - Many techniques may allow further access to your house
    - Similar to digital version (leave something behind)
      - Small digital object accessing home network
      - "Sorry, I left something, mind if I search around?"
    - Longer con (advance to next stage of "friendship" / "relationship", implied trust)
      - "We should hang out again / have a cards night / go drinking together / ect..."
      - Flattery "Such a beautiful house, I like / am a fan of <madlibs>, could you show it to me?"
  - Already provides a survey of your home security
    - Do you lock your doors / windows?
    - What kind / brand / style do you have?
    - Do you tend to just leave stuff open?
    - Do you have onsite cameras or other features?
    - Do you easily just let anybody into your house who asks?
    - General cleanliness and attention to security issues

  - In the case of Notepad++, they would also be offering you a free product
    - Significant utility vs alternatives
    - Free
    - Highly recommended by many other "neighbors"
  - In the case of Notepad++, they themselves are not actively malicious (or at least not known to be)
    - Single developer
    - Apparently frazzled and overworked by the experience
    - Makes updates they can, yet also support a free product for millions.
    - It doesn't really work with the friend you invite in scenario (more like they sneezed in your living room or something)
[go to top]