Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The developer of the popular open source text editor Notepad++ has confirmed that hackers have hijacked the software to deliver malicious updates to users over the course of several months in 2025.
In a Blog post Published on Monday Notepad++ developer Don Ho said the cyberattack was likely carried out by hackers linked to the Chinese government between June and December 2025, citing multiple analyzes by security experts who examined malware payloads and attack patterns. This “explains the very selective targeting” seen during the campaign, Ho said.
Express 7, which Investigation into the accidentTwitter attributed the hack to Lotus Blossom, a long-standing espionage group known to work for China, and said the hacks targeted the government, communications, aviation, critical infrastructure, and media sectors.
Notepad++ is one of the longest-running open source projects, spanning more than two decades, and has had at least tens of millions of downloads to date, including by employees in organizations around the world.
According to Kevin Beaumont, a security researcher who He first discovered the cyberattack and wrote up his findings In December, hackers breached a small number of organizations “with interests in East Asia” after someone unwittingly used a tainted version of the popular software. Beaumont said the hackers gained “practical” access to the computers of victims who were running hijacked versions of Notepad++.
Hu said the “exact technical mechanism” of how the hackers broke into his servers was still under investigation, but he provided some details about how the attack occurred.
In the blog, he said that the Notepad++ website was hosted on a shared hosting server. The attackers “specifically” targeted Notepad++’s web domain with the aim of exploiting a software bug to redirect some users to a malicious server run by hackers. This allowed hackers to deliver malicious updates to some users who requested a software update, even The bug was fixed in November The hackers’ access was terminated in early December.
“We have records indicating that the bad actor attempted to re-exploit one of the fixed vulnerabilities; however, the attempt was unsuccessful after the fix was implemented,” he wrote.
In an email, Ho told TechCrunch that his hosting provider confirmed that its shared server had been compromised, but he did not say how the hackers had initially compromised.
He apologized for the incident and urged users to download the file Latest version Of its software, which contains a bug fix.
The cyberattack targeting Notepad++ users is somewhat reminiscent of a 2019-2020 cyberattack that affected customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies Hacking the company’s servers It secretly planted a backdoor in its software, allowing Russian spies to access data on these customers’ networks once the update was rolled out.
The SolarWinds hack affected multiple government agencies, including the Department of Homeland Security and the Departments of Commerce, Energy, Justice, and State.
Updated with a response from Ho and with additional details from Rapid7.