The creator of the widely used open-source text editor Notepad++ has confirmed that hackers compromised the software’s update mechanism, allowing malicious versions to be distributed to users over a period of several months in 2025.
In a blog post published Monday, Notepad++ developer Don Ho said the intrusion was likely carried out by hackers connected to the Chinese government between June and December 2025. Ho cited multiple independent analyses from security researchers who reviewed the malware payloads and attack behaviour, noting that this attribution “would explain the highly selective targeting” observed during the campaign.
Cybersecurity firm Rapid7, which investigated the incident, linked the operation to Lotus Blossom, a long-running cyberespionage group believed to be aligned with China. According to Rapid7, the attackers targeted organisations acrosssectors, including government, telecommunications, aviation, critical infrastructure, and media.
Notepad++ is among the longest-running open-source software projects, with a history spanning more than two decades. The editor has accumulated tens of millions of downloads worldwide and is widely used by employees at organisations across multiple industries.
Security researcher Kevin Beaumont, who first uncovered the attack and published his findings in December, said the hackers compromised a limited number of organisations “with interests in East Asia” after victims unknowingly installed a tampered version of the software. Beaumont explained that the attackers gained direct, hands-on access to affected systems running the hijacked Notepad++ updates.
Ho said the precise technical method used to breach his infrastructure is still under investigation, but he shared additional details about how the attack unfolded.
According to the blog post, Notepad++’s website was hosted on a shared hosting server. The attackers deliberately targeted the project’s web domain, exploiting a software flaw that redirected certain users to a malicious server controlled by the hackers. As a result, users who attempted to update Notepad++ were, in some cases, served infected versions of the software. This continued until the vulnerability was patched in November, and the attackers’ access was entirely cut off in early December.
“We do have logs showing that the threat actor attempted to re-exploit one of the fixed vulnerabilities,” Ho wrote. “However, those attempts were unsuccessful once the fix was in place.”
In a separate email, Ho told TechCrunch that his hosting provider confirmed the shared server had been compromised, but did not specify how the attackers initially gained access.
Ho apologised to users for the incident and urged everyone to download the latest version of Notepad++, which includes a security fix for the exploited flaw.
The attack on Notepad++ users has drawn comparisons to the high-profile 2019–2020 SolarWinds supply-chain breach. In that case, Russian state-sponsored hackers infiltrated SolarWinds’ systems. They secretly inserted a backdoor into the company’s software updates, enabling them to spy on customers once the compromised updates were installed.
The SolarWinds breach ultimately impacted multiple U.S. government agencies, including the Department of Homeland Security and the Departments of Commerce, Energy, Justice, and State.
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
