The developer of the globally popular open-source text editor Notepad++ has confirmed that the software’s update mechanism was compromised in a sophisticated cyberattack. According to TechCrunch, hackers allegedly affiliated with the Chinese government gained control of the update system between June and December 2025 and used it to distribute malware to targeted users.
Notepad++ developer Don Ho stated that the breach was not caused by a vulnerability in the software’s source code. Instead, it occurred due to infrastructure-level weaknesses related to the hosting provider. The attackers intercepted traffic from the official Notepad++ update server and redirected it to malicious servers under their control. As a result, users attempting to download legitimate updates unknowingly downloaded harmful files.
Cybersecurity firm Rapid7, which is investigating the incident, claims the attack was carried out by a China-linked cyber-espionage group known as Lotus Blossom. However, other security researchers have associated the attack with Violet Typhoon (APT31).
Who Was Targeted?
The attack was highly selective and did not affect all users. Hackers primarily targeted organizations in government, telecommunications, aviation, financial services, and critical infrastructure sectors. According to security researcher Kevin Beaumont, organizations with strategic interests in East Asia were particularly impacted.
The malware installed through the compromised updates created a backdoor on infected systems, enabling attackers to remotely control affected computers and steal sensitive data.
Don Ho has publicly apologized to Notepad++ users, acknowledging that the previous shared hosting server lacked sufficient security. He confirmed that the website has since been migrated to a new hosting environment with significantly stronger security practices, and additional safeguards have been implemented to protect the update process.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched an investigation to determine whether any U.S. government entities were affected. In response, the Chinese Embassy in Washington rejected the allegations as irresponsible and denied any involvement, stating that China does not engage in hacking activities.
Security experts are urging all Notepad++ users to immediately update to the latest version version 8.8.9 or newer—which addresses the identified security risks.
