zlacker

[parent] [thread] 2 comments
1. otherm+(OP)[view] [source] 2026-02-02 06:44:42
> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?

Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.

replies(1): >>tempes+X1
2. tempes+X1[view] [source] 2026-02-02 07:08:52
>>otherm+(OP)
The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.
replies(1): >>7bit+Us
◧◩
3. 7bit+Us[view] [source] [discussion] 2026-02-02 11:51:37
>>tempes+X1
Checksums are useless in this case. The binary would have to be signed and the installation routine would have to check that the new binary would have been signed with the certificate. That adds complexity, but would have thwarted this specific attempt.

However, there are ways around this, too. No solution is perfect.

[go to top]