I don’t get how this way exploited in practise.

Even if the signatures on the downloaded packages weren’t checked properly, how would you modify the content of the XML file returned from notepad-plus-plus.org/update/getDownloadUrl.php?v… ? For that you’d have to break or MITM the TLS too, no?

The usual case for TLS MITM is when a company decides DPI is more important than E2E encryption and they terminate all TLS on the firewall, but if the firewall is compromised there would be much easier avenues of entry other than notepad++