The software we write often relies on software or data we receive from 3rd parties. For example, a web application you write might rely on modules obtained from npm, Nuget or Maven. You may load images and scripts into an HTML page from a CDN. If any of these pieces of data or software are tampered with (i.e. their integrity is compromised) then your application is vulnerable.
Often data which is sensitive to tampering is given a digital signature or checksum. For example, the Notepad++ online downloads page also contains lists of SHA-256 checksums for each of its versions' binaries.
a0ff10075923892310d022761339fe233c3fdc9e04d994f977c42adafccd96a9 npp.8.2.Installer.arm64.exe
9e2eca17a0ce0ccd222ae32db1fe9b8473dbf97236880fbbd17949a98564e522 npp.8.2.Installer.exe
0ba94c551d07de2194f87c086952f5d78a213e4423265a4a394cf98acd4edb59 npp.8.2.Installer.x64.exe
...
These hexadecimal digests are the output which you should expect if you hashed your Notepad++ binary with the SHA-256 algorithm. If the binary on your local computer had been tampered with, when you hashed it you would get a different digest. This is one of the reasons why collisions (two inputs hashing to the same output) need to be hard to find for cryptographic hashes, since otherwise a hacker could construct their malware in such a way that it produced the same checksum hash as the legitimate version.