this post was submitted on 02 Feb 2026
316 points (99.4% liked)

Programming

24992 readers
264 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
UlrikHD@programming.dev
316
Notepad++ Hijacked by State-Sponsored Hackers (notepad-plus-plus.org)
submitted 1 day ago by who@feddit.org to c/programming@programming.dev
59 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] 9tr6gyp3@lemmy.world 0 points 18 hours ago* (last edited 18 hours ago) (1 children)

The gpg sig method works great on other operating systems that aren't Windows or MacOS, but Windows and MacOS do not use that method to verify the authenticity of developer's certificates.

The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system. The OS will not allow it to run without it being signed.

The malicious actor would not be able to drag and drop their malware in without the Notepad++ certificate. The signature wouldn't match.

The certificate is not only doing authentication of the developer, but it is also doubling as an integrity check to make sure the code hasn't been modified.

[–] pupbiru@aussie.zone 2 points 17 hours ago (1 children)

Windows and MacOS do not use that method to verify the authenticity of developer's certificates.

completely irrelevant… software authenticity doesn’t have to be provided by your OS… this is an update mechanism that’s built into the software itself. a GPG signature like this would have prevented the hack

The update mechanism works fine, but you will not be able to execute the binary on a Windows or MacOS system

that’s what we’re saying: this update mechanism already exists, and seems to install unsigned software. that’s the entire point of this hack… the technical how it works is irrelevant

[–] 9tr6gyp3@lemmy.world 2 points 17 hours ago* (last edited 17 hours ago) (1 children)

Agreed.

If the updates were signed, then the malicious actor could not push their own updates. It would fail authentication and integrity checks.

[–] pupbiru@aussie.zone 2 points 17 hours ago* (last edited 17 hours ago) (1 children)

yes but as you yourself said

I think they want to, but Microsoft has made it expensive for open source developers who do this as a hobby and not as a job to sign their software. I know not too long ago, this particular dev was asking its users to install a root certificate on their PC so that they wouldn't have to deal with Microsofts method of signing software, but that kind of backfired on them.

the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s

No, because you wouldn't be able to execute the updated exe without a valid signature. You would essentially brick the install with that method, and probably upset Microsoft's security software in the process.

this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”

adding signing into that existing process without any 3rd party involvement is both free, and very very easy

which is why this is a solved (for free) problem on linux

[–] 9tr6gyp3@lemmy.world 1 points 17 hours ago (1 children)

the part that we’re arguing against isn’t that a microsoft signing key would have fixed the problem, it’s

I didn't say a Microsoft signing key is required. Im saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer.

this update mechanism already exists: it’s the reason the hijack was possible. whatever the technical process behind the scenes is irrelevant… that is how it currently works; it’s not a “what if”

The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place. Notepad++ even said that they moved hosting providers after this happened to them.

Per https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

adding signing into that existing process without any 3rd party involvement is both free, and very very easy

Can you point out an existing open source application that runs on Windows that only uses GPG signatures?

[–] pupbiru@aussie.zone 2 points 10 hours ago (1 children)

saying Microsoft requires that you go out and obtain a signed certificate that proves your identity as a developer

clearly that’s not the case if this was exploitable… again, N++ has an auto update mechanism that they current use. if they used a microsoft signing key to sign a builds hash, this hijack would not be possible

thus they have an update mechanism that works around microsoft signing… how is irrelevant. that is the current state of the software

The update mechanism was successful hijacked because integrity checks and authentication checks were not properly in place

that part we definitely agree on

Notepad++ even said that they moved hosting providers after this happened to them

side note: doesn’t remotely solve the problem… software updates should be immune to this to start with. it’s a problem that the hosting provider was compromised, but honestly we’re talking about a state sponsored hack targeting other states: almost no hosting provider would include this in their risk assessment, let alone shared hosting providers

Can you point out an existing open source application that runs on Windows that only uses GPG signatures?

again, that’s irrelevant… the concept that we’re talking about isn’t even specific to GPG. signing a hash using a private key is basic crypto, and GPG is a specific out of the box implementation

if we remove microsoft signing as an option for whatever reason (which we have) then it’s still very possible, and very easy to implement signed updates into your own custom update mechanism

[–] 9tr6gyp3@lemmy.world 0 points 9 hours ago

if we remove microsoft signing as an option for whatever reason (which we have) then it’s still very possible, and very easy to implement signed updates into your own custom update mechanism

Im not convinced