Notepad++ patches hijackable updater flaw

This is the kind of boring updater bug that turns into a real supply-chain nightmare fast: the editor itself was not the main story, the trust chain around it was. For developers, it is a reminder that signed binaries mean little if the update mechanism around them is weak.

• –The incident centered on WinGUp and update traffic integrity, not a broad compromise of every Notepad++ binary
• –Official follow-up guidance described the attack as highly targeted rather than mass exploitation, with only a small number of victims reported
• –v8.8.9 specifically hardened update verification by checking installer certificates and signatures before install
• –Users who are unsure were told to skip auto-update and manually install the newest release from official sources
• –It is a strong example of why desktop devtools need the same supply-chain scrutiny now expected of package managers and CI pipelines