this post was submitted on 02 Feb 2026
295 points (99.3% liked)

Programming

24992 readers
547 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
UlrikHD@programming.dev
295
Notepad++ Hijacked by State-Sponsored Hackers (notepad-plus-plus.org)
submitted 1 day ago by who@feddit.org to c/programming@programming.dev
55 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] pdxfed@lemmy.world 83 points 23 hours ago (2 children)

"The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests."

Fuckall they could really have done about it other than changing host providers, which they mentioned they already have as a result.

[–] someone@lemmy.today 7 points 11 hours ago

that's a brutal hack. so they hacked the hosting update server, made it monitor incoming IPs, and then selectively uploaded a compromised backdoor update based on IP only to certain computers so it would go undetected longer?

it's awful, but technically impressive that someone could remotely hack the server like that and set up such a complex system to target IPs... unless it was a state actor that compelled the server company to provide local access, in which case it's less impressive.

[–] Lojcs@piefed.social 47 points 21 hours ago (1 children)

Sign the updates before uploading them so they can't be faked?

[–] yetAnotherUser@discuss.tchncs.de 16 points 16 hours ago (2 children)

It's astounding this wasn't done years sooner to be honest. I mean, signing software with keys is not something invented recently. Not doing so is akin to storing passwords in plain text.

[–] 9tr6gyp3@lemmy.world 14 points 14 hours ago* (last edited 14 hours ago) (2 children)

I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn't have to deal with Microsofts method of signing software, but that kind of backfired on them.

[–] TeamAssimilation@infosec.pub 7 points 14 hours ago (1 children)

Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.

Or tarnish its name associating it with malware and bad actors, who knows?

[–] Luminous5481@anarchist.nexus 1 points 14 hours ago (1 children)

Let’s Encrypt is a trusted, established alternative, it could replace Microsoft for long-lived software certificates.

Uh, no it could not.

First of all, the whole point of signing software is to ensure it comes from a reputable source. Let’s Encrypt signs certificates with an automated process that does no verification whatsoever of the identity of the person asking for a certificate. It would make the whole process completely pointless.

Second, Let’s Encrypt has stated themselves over a decade ago that they have no intention of doing this because it would render the whole system pointless.

[–] piccolo@sh.itjust.works 6 points 13 hours ago* (last edited 13 hours ago)

The point of signing software is to ensure the software was not tampered from the publisher. Linux package managers solve this by comparing a gpg key from the publisher with the software's. There is no need for a corporate giant to "vet" software.

[–] yetAnotherUser@discuss.tchncs.de 3 points 12 hours ago (1 children)

Yes, but from what I understand this refers to the automatic update functionality and not Microsoft's own .exe signature verification thing.

Couldn't you do it like this:

  • Put hardcoded key into N++
  • If a new release is available: Download, then verify signature
  • If the signatures match, do whatever Windows requires to install an update

That should work, shouldn't it?

[–] 9tr6gyp3@lemmy.world 3 points 12 hours ago (2 children)

No, because you wouldn't be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft's security software in the process.

[–] yetAnotherUser@discuss.tchncs.de 2 points 11 hours ago* (last edited 10 hours ago) (1 children)

I meant the old .exe would check the signatures before initializing the official Windows way to update. Effectively have this run whenever you start the application:

main() {
    if (update_available()) {
        exe_path = download_update()
        if (signature(exe_path) == SIGNATURE) {
            install_update(exe_path)
            restart()
        } else {
            put_up_a_warning_or_something()
            delete(exe_path)
        }
    }
# Rest of the application
# ...
}

The only thing I have no idea how to implement would be the install_update(path) function. But surely this is one way to install updates without signatures recognized by Microsoft, right?

And if for some reason you aren't allowed to sign the .exe because this breaks something, then place an unsigned .exe in a signed zip folder.

[–] 9tr6gyp3@lemmy.world 2 points 8 hours ago (1 children)

After you install the update, which exe will you execute after the app restarts?

[–] yetAnotherUser@discuss.tchncs.de 1 points 8 hours ago (1 children)

I don't know enough about Windows app development to answer this. Maybe it replaces the old .exe and the now replaced .exe is just continuing to run from RAM? Maybe there is some restarter.exe program in the same folder that does all the work. In any case, this depends far too much on the Windows update process and how to launch applications.

I just know when I used Windows applications in the past, they were able to restart themselves after updating somehow.

[–] 9tr6gyp3@lemmy.world 2 points 7 hours ago (1 children)

After an update on Windows, you must close the application to clear the RAM before launching the updated exe.

Upon launching the new binary exe, Microsoft will check the code signing certificate and make sure its valid before letting it execute. If its not signed, you will be met with a warning that the binary publisher is unknown, and I believe that Microsoft won't even let it launch nowadays

[–] pupbiru@aussie.zone 1 points 7 hours ago (1 children)

that’s all completely irrelevant.., there is already an update mechanism built into NPP: that’s the entire point of the attack… it’s this update mechanism that got hijacked

[–] 9tr6gyp3@lemmy.world 1 points 7 hours ago (1 children)

If Notepad++ had a valid signing certificate, you wouldn't be able to run the malicious binary in the update. How is that not relevant?

[–] pupbiru@aussie.zone 1 points 7 hours ago* (last edited 6 hours ago) (1 children)

there are more ways to do signing than paying microsoft boat loads of money… just check a gpg sig file ffs (probably using detached signatures: again, it’s already built into existing tools and it’s a well-known, easily solved problem)

what’s irrelevant is the argument about how the auto update mechanism would work because it already exists

[–] 9tr6gyp3@lemmy.world 1 points 6 hours ago* (last edited 6 hours ago) (1 children)

The gpg sig method works great on other operating systems that aren't Windows or MacOS, but Windows and MacOS do not use that method to verify the authenticity of developer's certificates.

The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system. The OS will not allow it to run without it being signed.

The malicious actor would not be able to drag and drop their malware in without the Notepad++ certificate. The signature wouldn't match.

The certificate is not only doing authentication of the developer, but it is also doubling as an integrity check to make sure the code hasn't been modified.

[–] pupbiru@aussie.zone 1 points 6 hours ago (1 children)

Windows and MacOS do not use that method to verify the authenticity of developer's certificates.

completely irrelevant… software authenticity doesn’t have to be provided by your OS… this is an update mechanism that’s built into the software itself. a GPG signature like this would have prevented the hack

The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system

that’s what we’re saying: this update mechanism already exists, and seems to install unsigned software. that’s the entire point of this hack… the technical how it works is irrelevant

[–] 9tr6gyp3@lemmy.world 1 points 6 hours ago* (last edited 6 hours ago) (1 children)

Agreed.

If the updates were signed, then the malicious actor could not push their own updates. It would fail authentication and integrity checks.

[–] pupbiru@aussie.zone 1 points 6 hours ago* (last edited 6 hours ago) (1 children)

yes but as you yourself said

I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn't have to deal with Microsofts method of signing software, but that kind of backfired on them.

the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s

No, because you wouldn't be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft's security software in the process.

this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”

adding signing into that existing process without any 3rd party involvement is both free, and very very easy

which is why this is a solved (for free) problem on linux

[–] 9tr6gyp3@lemmy.world 1 points 6 hours ago

the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s

I didn't say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.

this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”

The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.

Per https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

adding signing into that existing process without any 3rd party involvement is both free, and very very easy

Can you point out an existing open source application that runs on Windows that only uses GPG signatures?

[–] stephen01king@piefed.zip 2 points 11 hours ago (1 children)

How are they doing it now, then?

[–] 9tr6gyp3@lemmy.world 1 points 7 hours ago (1 children)

The answer to that question is honestly super complicated, and it has its own job title tbh. Managing code signing certificates can be really complex depending on the software.

This gist kinda covers the basics

https://gist.github.com/MangaD/e8f67fb39a35abdbf4ad26711c5957cc

[–] stephen01king@piefed.zip 2 points 7 hours ago (1 children)

No, I meant how are Notepad++ people doing it currently when people claim they aren't already signing their exe?

[–] 9tr6gyp3@lemmy.world 1 points 7 hours ago

Im not sure. I don't have Windows to look at the code signing certificate they are using (if they are using one at all). Hopefully someone else can check and let us know.

[–] sus@programming.dev 3 points 14 hours ago* (last edited 14 hours ago)

Cryptography is hard and programmers are notoriously really really really bad at it.