Notepad++ Compromised: Chinese Hackers Hijack Software Updates in Prolonged Cyberattack
In a significant cybersecurity breach, the widely-used open-source text editor Notepad++ was infiltrated by hackers linked to the Chinese government, who manipulated software updates to distribute malicious code over several months in 2025.
Don Ho, the creator of Notepad++, disclosed in a recent blog post that the cyberattack occurred between June and December 2025. Analyses by security experts revealed that the attack patterns and malware payloads were consistent with tactics employed by state-sponsored Chinese hackers. Ho noted that this alignment would explain the highly selective targeting observed during the campaign.
Cybersecurity firm Rapid7 investigated the incident and attributed the breach to Lotus Blossom, an espionage group known to operate on behalf of China. The group’s activities primarily targeted sectors such as government, telecommunications, aviation, critical infrastructure, and media.
Notepad++, a project with over two decades of history and tens of millions of downloads worldwide, is a staple tool for many organizations. Security researcher Kevin Beaumont, who first identified the cyberattack in December, reported that the hackers compromised a limited number of organizations with interests in East Asia. These breaches occurred when individuals unknowingly installed a tainted version of Notepad++, granting the attackers direct access to the victims’ computers.
The exact method by which the hackers infiltrated Notepad++’s servers is still under investigation. However, Ho provided some insights into the attack’s execution. He explained that Notepad++’s website was hosted on a shared server, which the attackers specifically targeted. By exploiting a vulnerability in the software, they redirected certain users to a malicious server under their control. This redirection enabled the delivery of harmful updates to users who requested software updates. The vulnerability was addressed in November, and by early December, the hackers’ access was terminated.
Ho mentioned that logs indicated attempts by the attackers to re-exploit the fixed vulnerabilities, but these efforts were unsuccessful post-fix. He also stated that the hosting provider confirmed the shared server’s compromise but did not specify the initial breach method.
Expressing regret over the incident, Ho urged users to download the latest version of Notepad++, which includes a fix for the vulnerability.
This cyberattack bears similarities to the 2019-2020 SolarWinds breach, where Russian government operatives infiltrated the company’s servers and embedded a backdoor in its software. This backdoor allowed unauthorized access to data on customers’ networks once the compromised update was deployed. The SolarWinds incident affected multiple U.S. government agencies, including the Departments of Homeland Security, Commerce, Energy, Justice, and State.
