Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/
The lack of signing and/or checking the signature when updating is the real issue here. But the write up blames the attack on the hosting server. That doesn't bode well for future security.
You don't even need a certificate to prevent update tampering like this. The updates could have shipped with an ECDSA signature and this wouldn't have happened. It's also free and doable in an afternoon.
Notepad++ is Windows-based and could use the Windows store instead of the built in updater. Microsoft charges a one time fee. It would pass SmartScreen checks. His website has a bunch of ads integrated which I assume are there to help pay for hosting.
Mr. Ho already has hosting charges and he uses GitHub. For those who use GitHub, he could continue his GnuPG method for signing. Additionally, GitHub integrates with Sigstore. Windows wouldn’t trust his signature but at least there would be better traceability. Version 8.8.7 labeled “authenticity guaranteed” is a step in that direction.
The real “issue” here was his outside hosting platform for updates from my reading of the article.