Notepad++ developer Don Ho confirmed that hackers hijacked the software’s update mechanism for several months in 2025. The attack occurred between June and December 2025, and Ho attributed it to hackers associated with the Chinese government. He cited analyses by security experts who examined malware payloads and attack patterns, noting that this explained the highly selective targeting during the campaign.

Rapid7 investigated the incident and identified the threat actors as Lotus Blossom, a long-running espionage group linked to China. The group targets government, telecom, aviation, critical infrastructure, and media sectors. Notepad++ is a popular open-source text editor with more than two decades of history and tens of millions of downloads worldwide, including by employees at organizations globally.

Security researcher Kevin Beaumont first discovered the cyberattack in December 2025. He reported that hackers compromised a small number of organizations with interests in East Asia after users installed a tainted version of the software. Beaumont stated that the attackers gained “hands-on” access to victims’ computers running the hijacked Notepad++ updates.

You Might Also Like
Apple releases macOS 11.2 RC beta for developers
Apple releases macOS 11.2 RC beta for developers
Best free software to recover passwords on a PC
Best free software to recover passwords on a PC
Google Maps in the hands of its community It will allow any user to add streets, remove them, or correct errors
Google Maps will allow any user to add streets, remove them, or correct errors

Ho detailed the attack mechanism in a blog post published on Monday. Notepad++’s website was hosted on a shared server. Attackers specifically targeted the web domain, exploiting a software bug to redirect some users to a malicious server controlled by the hackers. This enabled delivery of malicious updates to users requesting software updates. The redirection continued until Ho fixed the bug in November 2025, terminating the hackers’ access in early December 2025.

Ho shared logs showing the attackers attempted to re-exploit the fixed vulnerability, but the efforts failed after the patch. In an email to TechCrunch, Ho said his hosting provider confirmed the shared server was compromised but did not disclose how the initial breach occurred.

Ho apologized for the incident and urged users to download the latest version of Notepad++, which includes the bug fix.

The Notepad++ cyberattack resembles the 2019-2020 SolarWinds breach. Russian government spies hacked SolarWinds’ servers and planted a backdoor in software updates for IT and network management tools used by Fortune 500 organizations, including U.S. government departments. The compromise affected agencies such as Homeland Security and the Departments of Commerce, Energy, Justice, and State. Once customers installed the tainted updates, the backdoor allowed Russian spies access to networks.

Featured image credit