{"id":8997,"date":"2025-07-01T01:45:39","date_gmt":"2025-07-01T01:45:39","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=8997"},"modified":"2025-07-01T01:45:40","modified_gmt":"2025-07-01T01:45:40","slug":"notepad-upgrade-causing-trojanscript-wacatac-bml","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/notepad-upgrade-causing-trojanscript-wacatac-bml","title":{"rendered":"Notepad ++ Upgrade causing &#8216;Trojan:Script\/Wacatac.B!ml&#8217;"},"content":{"rendered":"\n<p>We had alerts today internally on defender due to a Notepad++ upgrade to 8.2.2. Note pad ++ is no longer able to sign their releases due to not being able to renew an expiring certificate due to changes in certificate authority policies as detailed at&nbsp;<a href=\"https:\/\/aus01.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fnotepad-plus-plus.org%2Fnews%2F8.8.2-available-in-1-week-without-certificate%2F&amp;data=05%7C02%7CParis.Wells%40pa.com.au%7C54410aa0411140a2aec108ddb834aadf%7Ce417d5cce5d84cadb2cdc5ef82dea0a0%7C0%7C0%7C638869259345950586%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&amp;sdata=E2eufgimApZX3Vhj1efNhZObiYeYusaQ%2FrRGozT74Ms%3D&amp;reserved=0\">https:\/\/notepad-plus-plus.org\/news\/8.8.2-available-in-1-week-without-certificate\/<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/aus01.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fnotepad-plus-plus.org%2Fnews%2Fv882-fix-security-issue%2F&amp;data=05%7C02%7CParis.Wells%40pa.com.au%7C54410aa0411140a2aec108ddb834aadf%7Ce417d5cce5d84cadb2cdc5ef82dea0a0%7C0%7C0%7C638869259345971697%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&amp;sdata=a94qMgG28ZeSTDIkoWgiFNXugHlAbewriKcF%2FcEF5Iw%3D&amp;reserved=0\">https:\/\/notepad-plus-plus.org\/news\/v882-fix-security-issue\/<\/a><\/p>\n\n\n\n<p>The current work around is to whitelist the SHA 1 hash as trusted to not block the updates<\/p>\n\n\n\n<p>179613870a9ffc646b77918701481c8ffdae1c82e06cbc7ea7d42af3d1c9e5e2&nbsp; npp.8.8.2.Installer.exe<\/p>\n\n\n\n<p>561a1656f8710cfd39a5dee3ae67b2c18916f792<\/p>\n\n\n\n<p>which matches the digests (viewed over https) at&nbsp;<a href=\"https:\/\/aus01.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fnotepad-plus-plus.org%2Fdownloads%2Fv8.8.2%2F&amp;data=05%7C02%7CParis.Wells%40pa.com.au%7C54410aa0411140a2aec108ddb834aadf%7Ce417d5cce5d84cadb2cdc5ef82dea0a0%7C0%7C0%7C638869259345987108%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&amp;sdata=HPwIstMSpi6Zi3Y1qaJgQI6UBUqSHFao%2Fe9x5b2k4%2Fc%3D&amp;reserved=0\">https:\/\/notepad-plus-plus.org\/downloads\/v8.8.2\/<\/a>&nbsp;and on their github releases page at&nbsp;<a href=\"https:\/\/aus01.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fgithub.com%2Fnotepad-plus-plus%2Fnotepad-plus-plus%2Freleases%2Ftag%2Fv8.8.2&amp;data=05%7C02%7CParis.Wells%40pa.com.au%7C54410aa0411140a2aec108ddb834aadf%7Ce417d5cce5d84cadb2cdc5ef82dea0a0%7C0%7C0%7C638869259346001042%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&amp;sdata=dXD51dWwvcPOcpgdp6xx3rAN50dbiohS95t%2BcvkY2sY%3D&amp;reserved=0\">https:\/\/github.com\/notepad-plus-plus\/notepad-plus-plus\/releases\/tag\/v8.8.2<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We had alerts today internally on defender due to a Notepad++ upgrade to 8.2.2. Note pad ++ is no longer able to sign their releases due to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8997","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=8997"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8997\/revisions"}],"predecessor-version":[{"id":8998,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8997\/revisions\/8998"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=8997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=8997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=8997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}