You’d be protected from this particular exploit if you used a package manager rather than the updater, though of course you’d still be vulnerable to the installer binary itself getting compromised.
Wonder how many packages in community package repos are compromised. Surely "Hubbleexplorer" can be trusted to provide arch users with a honest, clean version of npp.