This doesn’t seem like this is an attack that should work.
How did this bypass signature verification, sure you can send a malicious update… but unless you have the package maintainer’s private keys you can’t sign it so it would be thrown out by the package manager?
The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign.
This doesn’t seem like this is an attack that should work.
How did this bypass signature verification, sure you can send a malicious update… but unless you have the package maintainer’s private keys you can’t sign it so it would be thrown out by the package manager?
Oh, it’s Windows software.