18
Notepad++ updater installed malware (www.heise.de)
submitted 4 months ago* (last edited 4 months ago) by schizoidman@lemmy.zip to c/technology@lemmy.world
31 comments fedilink hide all child comments

https://archive.is/uCWNB

you are viewing a single comment's thread
view the rest of the comments
[-] floofloof@lemmy.ca 3 points 4 months ago

Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code.

That doesn't sound wise.

[-] techt@lemmy.world 3 points 4 months ago
[-] sem@piefed.blahaj.zone 1 points 4 months ago* (last edited 4 months ago)

2025-07-09 **“Sometimes, when one door closes (lack of code signing) in life, another one opens (vulnerability) .”\

The sentence sumarizes well the situation in the previous version, 8.8.2.

There were - and still are - many false-positives reported in the previous version v8.8.2, by the antivirus software due to the absence of Windows code signing certificate.


1. ~~Double-click the certificate, it may tell you it’s invalid, ignore that and click: \*\*“Install Certificate..”~~\*\*~~.~~
2. ~~In the Certificate Import Wizard, select \*\*“Local Machine”~~**\~\~, then click \~\~**~~Next~~\*\*~~.~~
3. ~~If prompted by UAC (optional, depending on admin Previleges), click ~~**~~Yes~~**~~.~~
4. ~~Choose \*\*“Place all certificates in the following store”~~**\~\~, then browse and select \~\~**~~“Trusted Root Certification Authorities”~~**\~\~. Click \~\~**~~Next~~\*\*~~.~~
5. ~~On the final page of the wizard, click~~ **~~Finish~~** ~~to complete the installation.For detailed instructions, see Notepad++ User Manual.~~

We’re still trying to obtain a certificate issued by conventional Certificate Authorities, for a better user experience. But let’s be honest: it’s probably not happening. Notepad++ isn’t a business - it’s certainly not an enterprise - and apparently, that makes a popular open-source project invisible to their gatekeeping standards.

If the “gatekeepers” won’t issue a certificate under the name we deserve - so be it. At least it spares us from wasting time and energy on a frustrting process that demands we [beg for a new certificate every 3 years](https://notepad-plus-plus.org/news/v764-released/). The Notepad++ Root Certificate may not carry their approval, but it leads us to freedom.

***Edit (2025-12-03): Starting with v8.8.7, Notepad++ binaries - including the installer - are digitally signed using a legitimate certificate issued by GlobalSign. As a result, Installation of the Notepad++ root certificate is no longer required. We recommend that users who have previously installed the root certificate remove it.***
[-] sem@piefed.blahaj.zone 1 points 4 months ago

I give up trying to fix the formatting. I had it right, but then adding the image, fucked everything up again, and now blorp crashes when I try to edit it again.

I guess this will be one of the rare cases when you do have to read the article in order to be informed instead of just the comments.

[-] asbestos@lemmy.world 1 points 4 months ago

So the private key was left in the Github source code and nobody caught it? Or was it the public key? (which makes this statement way less impactful)

[-] Samskara@sh.itjust.works 1 points 4 months ago

Private key probably. Only the public key is not enough to sign the package.

this post was submitted on 10 Dec 2025
18 points (100.0% liked)

Technology

84101 readers
222 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws