> And perhaps a tool to e.g. do a checksum of all Notepad++ files, and compare them to the ones of a verified clean install of the user's installed version, would be a start?

Did I understand the attack wrongly? The software could have a 100% correct checksum, because the attack happened in a remote machine that deals with call home events from Notepad++, I guess one of those "Telemetry" add-ons. The attackers did a MITM to Notepad++ traffic.

The remote machine that was compromised was responsible for Notepad++ updates, so the concern is that it could cause a compromised version of the software to be installed. But if it could do that, it could probably cause anything to be installed anywhere on the user's machine, so inspecting the installed N++ binary probably wouldn't be too useful.