The developer of the popular open-source text editor Notepad++ has confirmed that hackers took over the software to deliver malicious updates to users over several months in 2025.
In one blog post Posted on Monday, Notepad++ developer Don Ho said the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing multiple analyzes by security experts who looked at malware payloads and attack patterns. Ho said this “would explain the highly selective targeting” seen during the campaign.
Rapid7, which investigated the incidentattributed the hacking to Lotus Blossom, a longtime espionage group known to work for China, and said the hacks targeted government, telecommunications, aviation, critical infrastructure and media sectors.
Notepad++ is one of the longest-running open source projects, spanning more than two decades and counting at least tens of millions of downloads to date, including by employees in organizations around the world.
According to Kevin Beaumont, a security researcher who first discovered the cyber attack and wrote up his findings In December, hackers breached a small number of organizations “with interests in East Asia” after someone unwittingly used an altered version of the popular software. Beaumont said the hackers were able to gain “hands-on” access to victims’ computers running compromised versions of Notepad++.
Ho said the “exact technical mechanism” of how the hackers broke into his servers remains under investigation, but provided some details about how the attack went down.
In the blog, Ho said that the Notepad++ website was hosted on a shared hosting server. The attackers “specifically targeted” the Notepad++ web domain with the aim of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed hackers to deliver malicious updates to some users who had requested a software update, until The bug was fixed in November and the hackers’ access was terminated in early December.
“We have logs showing that the bad actor attempted to re-exploit one of the patched vulnerabilities, however, the attempt did not fail after the patch was applied,” Ho wrote.
In an email, Ho told TechCrunch that his hosting provider confirmed that its shared server had been hacked, but that the provider did not say how the hackers broke in in the first place.
Ho apologized for the incident and urged users to download it latest version of its software, which contains a fix for the bug.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government agencies. Russian government spies hacked into the company’s servers and secretly installed a backdoor in its software, allowing Russian spies to access data on those customers’ networks once the update was released.
The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice and State.
Updated with response from Ho and additional details from Rapid7.
