Comment by tech234a
19 days ago
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
19 days ago
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.
So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?
Something doesn't seem right here.
Code signing certs are unfortunately expensive
$0 at SignPath. Quite a few OSS projects use it.
You don't even need a certificate to prevent update tampering like this. The updates could have shipped with an ECDSA signature and this wouldn't have happened. It's also free and doable in an afternoon.
$700+ at Sectigo for two years
Something of Notepad++ size might think about it now
7 replies →