Suspected China-state hackers used update infrastructure to deliver backdoored version.

Suspected China-state hackers used update infrastructure to deliver backdoored version.

  • FauxLiving@lemmy.worldEnglish
    21·
    22 days ago

    This doesn’t seem like this is an attack that should work.

    How did this bypass signature verification, sure you can send a malicious update… but unless you have the package maintainer’s private keys you can’t sign it so it would be thrown out by the package manager?

    • Ludicrous0251@piefed.zipEnglish
      4·
      22 days ago

      The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign.