The developer of the popular open source text editor Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users over the course of several months in 2025.
In a blog post published Monday, Notepad++ developer Don Ho said that the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing multiple analyses by security experts who examined the malware payloads and attack patterns. Ho said this “would explain the highly selective targeting” seen during the campaign.
Rapid7, which investigated the incident, attributed the hacking to Lotus Blossom, a long-running espionage group known to work for China, and said the hacks targeted government, telecom, aviation, critical infrastructure, and media sectors.
Notepad++ is one of the longest-running open source projects, spanning more than two decades, and it counts at least tens of millions of downloads to date, including by employees at organizations around the world.
According to Kevin Beaumont, a security researcher who first discovered the cyberattack and wrote up his findings in December, the hackers compromised a small number of organizations “with interests in East Asia” after someone unwittingly used a tainted version of the popular software. Beaumont said that the hackers were able to gain “hands-on” access to the computers of victims who were running hijacked versions of Notepad++.
Ho said that the “exact technical mechanism” of how the hackers broke into his servers remains under investigation, but provided some details as to how the attack went down.
In the blog, Ho said that Notepad++’s website was hosted on a shared hosting server. The attackers “specifically targeted” Notepad++’s web domain with the goal of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed the hackers to deliver malicious updates to certain users who had requested a software update, until the bug was fixed in November and the hackers’ access was terminated in early December.
“We do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented,” wrote Ho.
In an email, Ho told TechCrunch that his hosting provider confirmed his shared server was compromised but that the provider did not say how the hackers initially broke in.
Ho apologized for the incident, and urged users to download the most recent version of his software, which contains a fix for the bug.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies hacked into the company’s servers and secretly planted a backdoor in its software, allowing the Russian spies to access data on those customers’ networks once the update had rolled out.
The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.
Updated with a response from Ho and with additional details from Rapid7.