alt Hacker NewsThere is more detail linked below:
https://www.heise.de/en/news/Notepad-updater-installed-malwa...
https://doublepulsar.com/small-numbers-of-notepad-users-repo...
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
Replies
If the attackers did limit themselves to a small number of Asian machines they gave up an absolute goldmine. I would venture to say a lot of technical people use notepad++ at work in jobs that would be very lucrative for an attacker to exploit. I know I definitely had an 'oh shit' moment when I read this and thought about where I have notepad++ installed.
out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?