Comment

Comment on Notepad++ users take note: It's time to check if you're hacked

This doesn’t seem like this is an attack that should work.

How did this bypass signature verification, sure you can send a malicious update… but unless you have the package maintainer’s private keys you can’t sign it so it would be thrown out by the package manager?

source

Sort:hotnew top

Ludicrous0251@piefed.zip ⁨2⁩ ⁨weeks⁩ ago

The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign.

source
- FauxLiving@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  
  used a self signed root cert,
  
  Oh, it’s Windows software.
  
  source