An obvious (in retrospect) vulnerability in apps that use Sparkle for automatic updates (most apps outside of the MAS). The fix is pretty easy for developers, and as of Marked 2.5.4 (which is [available now](http://marked2app.com)) all of the updates and release notes are served over HTTPS. You can find additional details on the issue at [Vulnerable Security](https://vulnsec.com/2016/osx-apps-vulnerabilities/).