\n<\/p>\n
The developer of the popular open source text editor Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users over the course of several months in 2025.<\/p>\n
In a blog post<\/a> published Monday, Notepad++ developer Don Ho said that the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing multiple analyses by security experts who examined the malware payloads and attack patterns. Ho said this \u201cwould explain the highly selective targeting\u201d seen during the campaign.<\/p>\n Rapid7, which investigated the incident<\/a>, attributed the hacking to Lotus Blossom, a long-running espionage group known to work for China, and said the hacks targeted government, telecom, aviation, critical infrastructure, and media sectors.<\/p>\n Notepad++ is one of the longest-running open source projects, spanning more than two decades, and it counts at least tens of millions of downloads to date, including by employees at organizations around the world.\u00a0\u00a0<\/p>\n According to Kevin Beaumont, a security researcher who first discovered the cyberattack and wrote up his findings<\/a> in December, the hackers compromised a small number of organizations \u201cwith interests in East Asia\u201d after someone unwittingly used a tainted version of the popular software. Beaumont said that the hackers were able to gain \u201chands-on\u201d access to the computers of victims who were running hijacked versions of Notepad++.\u00a0<\/p>\n Ho said that the \u201cexact technical mechanism\u201d of how the hackers broke into his servers remains under investigation, but provided some details as to how the attack went down.\u00a0<\/p>\n In the blog, Ho said that Notepad++\u2019s website was hosted on a shared hosting server. The attackers \u201cspecifically targeted\u201d Notepad++\u2019s web domain with the goal of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed the hackers to deliver malicious updates to certain users who had requested a software update, until the bug was fixed in November<\/a> and the hackers\u2019 access was terminated in early December.<\/p>\n \u201cWe do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented,\u201d wrote Ho.\u00a0<\/p>\n In an email, Ho told TechCrunch that his hosting provider confirmed his shared server was compromised but that the provider did not say how the hackers initially broke in.<\/p>\n Ho apologized for the incident, and urged users to download the most recent version<\/a> of his software, which contains a fix for the bug.<\/p>\n The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies hacked into the company\u2019s servers<\/a> and secretly planted a backdoor in its software, allowing the Russian spies to access data on those customers\u2019 networks once the update had rolled out.<\/p>\n The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.<\/p>\n