The developer of Notepad++, a popular open-source text editor, confirmed that hackers took over the software in 2025 and distributed malicious updates to users over several months.
in blog post In a statement released on Monday, Notepad++ developer Dong Ho said the cyberattack was likely carried out by hackers with ties to the Chinese government between June and December 2025, citing multiple analyzes by security experts who examined the malware’s payload and attack pattern. Ho said this “would explain the very selective targeting” seen during the campaign.
Rapid7, investigated the incidentblamed the hack on Lotus Blossom, a long-running spy group known for working on behalf of China, and said the hack targeted the government, communications, aviation, critical infrastructure and media sectors.
Notepad++ is one of the longest-running open source projects, spanning more than 20 years and has been downloaded at least tens of millions of times, including by employees of organizations around the world.
According to security researcher Kevin Beaumont, First discovered the cyber attack and wrote down the findings In December, hackers compromised a small number of organizations with “interests in East Asia” after someone unknowingly used a contaminated version of the popular software. Beaumont said the hackers had “direct” access to the victim’s computer, which was running a hijacked version of Notepad++.
Ho said the “exact technical mechanism” of how the hackers infiltrated the server was still being investigated, but provided some details about how the attack ended.
Ho said in his blog that the Notepad++ website is hosted on a shared hosting server. The attackers “specifically targeted” the Notepad++ web domain with the aim of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed hackers to distribute malicious updates to specific users who requested software updates. Bug fixed in November The hacker’s access was then suspended in early December.
“We have logs showing that the attacker attempted to re-exploit one of the fixed vulnerabilities, but the attempt was not successful after the fix was implemented,” Ho wrote.
Ho told TechCrunch in an email that the hosting provider confirmed that the shared server was compromised, but the provider did not say how the hackers got in in the first place.
Ho apologized for the incident and urged users to download it. Latest version His software includes bug fixes.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack that affected customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies hacked into the company’s servers and secretly planted backdoors in its software, giving them access to data on those customers’ networks once the update was rolled out.
The SolarWinds breach affected several government agencies, including the Department of Homeland Security, Department of Commerce, Department of Energy, Department of Justice, and Department of State.
Updated with response from Ho and additional details from Rapid7.