If I got it right, someone took over the server that serves updates and switches that with their own payloads, for select users.

Current app version trusts the server ssl, but since itself was compromised it just updated itself with bad code. Next app version will also sign the payloads, so assuming that this would prevent from future bogus updates.

Wtf

Huh. I accept Notepad++ auto-updates regularly, looks like I’ll need to do a more thorough reinstall to be on the safe side.