Notepad++ wasn't compromised, at least not in the incident referred to in that link.

> It's not a vulnerability/security issue in Notepad++

Ah yes - gotta love the HN pedantry - you are of course technically correct, however - a library used by Notepad++ was compromised for a period of time.

Outcome from a security perspective was the same.

> a library used by Notepad++ was compromised for a period of time

Nothing at the referenced URL corroborates how you are representing the referenced URL.

According to the URL, the CIA was replacing one of Notepad++'s components w/ another in order to run code on the user's system and stay hidden. Nothing in that links indicates that that replacement is done through any breach in security in Notepad++ itself, and AFAICT, they're using it merely as a good hiding place. The Notepad++ announcement fixes no particular bugs, but merely signs the code.

"It rather involved being on the other side of this airtight hatchway": https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

I'd also say that the CIA is probably not within the threat model of most companies. (If they had one.)

> Ah yes - gotta love the HN pedantry - you are of course technically correct, however - a library used by Notepad++ was compromised for a period of time.

No, it wasn't either. The security "issue" was that a shared library loaded by Notepad++ could be replaced with a compromised one. At no point did either Notepad++ or the library authors distribute a compromised version of that library.

Being able to replace shared libraries is not a security issue, it's the number one (or number two, depending on who you ask) reason for having shared libraries in the first place. It's like saying that if I compiled a custom version of glibc and installed it on a computer, the entirety of the GNU ecosystem was compromised.

I mean, my operating system itself was compromised many times, is my employer going to take that away too?