>>myster+(OP)
Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
>>tech23+V3
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.