out of curiosity, why is a self signed cert bad for this case? Can't the updater check the validity of the cert just as well regardless? Or did the attackers get access to the signing key as well?

▲

tgsovlerkhgsel 6 hours ago | parent [-]

From the Heise article:

> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“

It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.

	▲	kevin_thibedeau 6 hours ago \| parent [-]
		Notepad++ has way too many updates for a text editor. I purposely decline most of the nags to update for precisely this reason. It is too juicy of a target and was bound to get compromised.