> Anyone who can intercept and manipulate this traffic can therefore change the download URL. Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary.

I came across some more technical information here: https://doublepulsar.com/small-numbers-of-notepad-users-repo...

Even the software itself does not signed with a validatable cert. How do the hijacker overcome the https cert though? It's 2025 now. It's extremely unlikely that anyone fetch binary with plain text http. Is wingup get compromised and have a cert leak? Or there is yet another root CA doing weird thing?

GlobalSign vs self-signed cert being used for code signing makes not one lick of difference though? You can't use any public cert alone to forge an update, unless you're trying to sell us on the Notepad++ author having source controlled their private key.

The thing that irritates is me people thinking that PKI only works when $corp is involved. Self-signed works just as well, and to be frank, it is better that you start building up your savvy with these primitives on your own the way the world is going.