Notepad++ Reports Chinese Hackers Hijacked Software Updates for Months
The open-source text editor Notepad++ has confirmed a significant cyberattack where hackers delivered malicious updates to users for several months. This breach occurred in 2025, with indications pointing towards Chinese state-sponsored hackers being responsible.
Details of the Cyberattack on Notepad++
In a blog post, Notepad++ developer Don Ho detailed the timeline and nature of the attack. It lasted from June to December 2025. Security experts analyzed the malware payloads and the attack’s patterns, linking the hacking efforts to a group known as Lotus Blossom, which has connections to the Chinese government.
Targeted Sectors and Methodology
- Government agencies
- Telecommunications
- Aviation
- Critical infrastructure
- Media sectors
The attack’s targeting was described as precise, aimed at organizations involved in East Asia. Security researcher Kevin Beaumont was the first to uncover the breach, where hackers gained access through a compromised version of Notepad++ used by a limited number of users.
Technical Aspects of the Attack
Ho noted that the specific technical details of how the hackers infiltrated the Notepad++ servers are still under investigation. However, he explained that the Notepad++ website operated on a shared hosting server and that attackers exploited a vulnerability to redirect users to a malicious server. This redirection allowed the unauthorized delivery of malicious updates until the vulnerability was fixed in November 2025.
Once the bug was patched, the hackers attempted to regain access but were unsuccessful. Ho clarified that logs showed attempts to exploit the previously fixed vulnerability.
Response and User Precautions
In response to the incident, Don Ho acknowledged the breach and urged users to update to the latest version of Notepad++, which has patched the vulnerabilities exploited during the attack. This cyber incident bears some resemblance to the SolarWinds attack from 2019-2020, which involved Russian hackers compromising software updates to gain access to numerous government networks.
Users of Notepad++ are advised to remain vigilant and ensure they are using the most recent software version to mitigate potential risks. The incident serves as a reminder of the vulnerabilities within widely used software and the importance of maintaining security measures.
