Agreed. Supply chain attacks are scary. I open all sorts of secrets in NPP - did they all get leaked?

There is more detail linked below:

https://www.heise.de/en/news/Notepad-updater-installed-malwa...

https://doublepulsar.com/small-numbers-of-notepad-users-repo...

The TLDR is that until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which was available in the Github source code. The author enabled this by not following best practices.

The "good news" is that the attacks were very targeted and seemed to involve hands on keyboard attacks against folks in Asia.

Blaming the hosting company is kind of shady, as the author should own at least some level of the blame for this.

Probably backdooring end user machines by pushing updates with vulnerabilities for the purpose of spying, data exfiltration & control.

And who was targeted. The current messaging is very vague.