https://www.heise.de/en/news/Notepad-updater-installed-malwa...
https://doublepulsar.com/small-numbers-of-notepad-users-repo...
The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.
The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.
Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.
> Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“
It also mentions "installing a root certificate". I suspect that it means that users who installed the root cert could check that a downloaded binary was legit but everyone else (i.e. the majority of users) were trained to blindly click through the warning.