The supply chain for Notepad++ updates was a PHP script on a shared hosting account pointing to the URL of an executable file.
Surely someone with more resources and more sets of eyes could do better than that? AFAIK nobody has compromised Debian's APT repositories and Red Hat's RPM repositories yet.