The developer of Notepad++, a popular open-source text editor, confirmed that hackers took over the software in 2025 and distributed malicious updates to users over several months.
In a blog post published on Monday, Notepad++ developer Dong Ho said the cyberattack was likely carried out by Chinese government-affiliated hackers between June and December 2025, citing multiple analyzes by security experts who examined the malware’s payload and attack pattern. Ho said this “would explain the very selective targeting” seen during the campaign.
Rapid7, which investigated the incident, said the hack was the work of Lotus Blossom, a long-running spy group known for working on behalf of China, and said the hack targeted the government, communications, aviation, critical infrastructure and media sectors.
Notepad++ is one of the longest-running open source projects, spanning more than 20 years and has been downloaded at least tens of millions of times, including by employees of organizations around the world.
After someone unknowingly used a contaminated version of the popular software, the hackers compromised a small number of organizations with “interests in East Asia,” said Kevin Beaumont, a security researcher who first discovered the cyberattack and compiled the findings in December. Beaumont said the hackers had “direct” access to the victim’s computer, which was running a hijacked version of Notepad++.
Ho said the “exact technical mechanism” of how the hackers infiltrated the server was still being investigated, but provided some details about how the attack ended.
Ho said in his blog that the Notepad++ website is hosted on a shared hosting server. The attackers “specifically targeted” the Notepad++ web domain with the aim of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed hackers to distribute malicious updates to specific users who requested software updates until the bug was fixed in November and the hackers’ access was suspended in early December.
“We have logs showing that the attacker attempted to re-exploit one of the fixed vulnerabilities, but the attempt was not successful after the fix was implemented,” Ho wrote.
Ho told TechCrunch in an email that the hosting provider confirmed that the shared server was compromised, but the provider did not say how the hackers got in in the first place.
Ho apologized for the incident and urged users to download the latest version of the software, which includes bug fixes.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack that affected customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies hacked into the company’s servers and secretly planted backdoors in its software, giving them access to data on those customers’ networks once the update was rolled out.
The SolarWinds breach affected several government agencies, including the Department of Homeland Security, Department of Commerce, Department of Energy, Department of Justice, and Department of State.
Updated with response from Ho and additional details from Rapid7.
