Until version 8.8.7 of Notepad++, the developer used a self-signed certificate, which is available in the Github source code. This made it possible to create manipulated updates and push them onto victims, as binaries signed this way cause a warning „Unknown Publisher“. Since v8.8.7, however, Notepad++ relies on a legitimate GlobalSign certificate, and installing its own Notepad++ root certificate is no longer necessary – if such a warning pops up, users should be alarmed.

I don’t understand how this is relevant. Unless the attacker has either

(a) somehow acquired the private key of the cert

(b) replaced the cert delivered through the installer

A self signed cert isn’t any worse. Both of these attack vectors still work with a public root CA. Or maybe notepad++ just forgot to validate the self signed cert against the one they delivered through their sources, just accepting any non-expired cert? That’s just a bug.

occums razor

Get your mind out of the gutter.

As long as it’s legal, they shouldn’t be policing transactions at all!

Well, they aren’t policing transactions per se, they are a lot more Machiavellian than that. If they were policing transactions, it would be much easier to fight.

Nintendo is doing exactly that (pulling games from stores, letting them die). Now that they have more invasive DRM in their latest console, they might even take a more active approach like Ubisoft wegen it comes to live service games. Let’s just “sunset” Mario kart world live service and brick it in a couple of years?