Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary – if such a warning pops up, users should be alarmed.
I don’t understand how this is relevant. Unless the attacker has either
(a) somehow acquired the private key of the cert
(b) replaced the cert delivered through the installer
A self signed cert isn’t any worse. Both of these attack vectors still work with a public root CA. Or maybe notepad++ just forgot to validate the self signed cert against the one they delivered through their sources, just accepting any non-expired cert? That’s just a bug.
It’s the same kind of extortion racket that these powermods (they do it for free, lol) like to engage in in Reddit and Lemmy too: Play ball, or get banned/defederates for engaging with no-no communities.
And the worst part about it is they genuinely think they do it for a greater good instead of their petty power fantasies and power struggles (“we own this corner of the internet.”)