On Monday, February 2nd, the developer of the popular open-source text editor Notepad++ confirmed that hackers affiliated with the Chinese government hijacked the software and pushed out malicious updates to users within a few months of 2025.
Notepad++ developer Don Ho stated in a blog post released on Monday that the cyber attack was likely carried out by hackers associated with the Chinese government between June and December of 2025. He cited analyses from multiple security experts on the malicious software payloads and attack patterns. Ho mentioned that this “can explain the high selectivity of targets in this attack activity.”
According to the blog post, the “malicious actors” initiated attacks on the update process for “specific users” starting from June 2025. Ho mentioned that hackers had access to the hosting servers used for Notepad++ updates until September 2, 2025, retaining credentials for some hosting services until December 2, 2025.
Notepad++ users are advised to immediately download version 8.9.1 or higher, as this version has fixed the exploited vulnerabilities and blocked the attack vectors.
Notepad++ is one of the longest-running open-source projects, having been in operation for over twenty years, with downloads exceeding tens of millions, including employees from organizations worldwide.
It is currently unclear which Notepad++ users were targeted in the attack and the number of affected users.
Rapid7, the entity investigating this incident, attributes the hacker attack to Lotus Blossom, a spy organization long working for the Chinese Communist Party. Rapid7 pointed out that this organization has been active since 2009, primarily targeting governments, telecommunications, aviation, critical infrastructure, and media industries in Southeast Asia, with recent focus shifting towards Central America.
According to Reuters, a spokesperson from the Cybersecurity and Infrastructure Security Agency (CISA) of the United States stated that the agency “is aware of this security vulnerability report and is investigating potential losses to the US government (USG).”
Ho’s blog contained a message from his hosting provider stating that the server used to push updates to customers “may have been compromised,” with hackers specifically targeting domains related to Notepad++.
Analysis indicates that the hacker group implanted a customized backdoor program using its access privileges, allowing interactive control of infected computers to steal data and launch attacks on other systems.
Cybersecurity researcher Kevin Beaumont mentioned in a blog post on December 2, 2025, that three organizations having interests in East Asia had experienced security incidents possibly related to Notepad++.
The security vulnerability incident with Notepad++ brings to mind the 2020 SolarWinds data breach that shook the cybersecurity world. At that time, Russian intelligence infiltrated the company’s build systems and inserted backdoors in software updates pushed to Fortune 500 clients and government agencies. This attack caused system paralysis in the US Department of Homeland Security, Commerce, Energy, Justice, and State, exposing the catastrophic risks of supply chain attacks.
However, there are key differences between the two incidents. SolarWinds is a commercial supplier with enterprise customers and security responsibilities. Notepad++, on the other hand, is an open-source project mainly maintained by a single developer. This resource gap highlights the increasingly severe security crisis – critical development tools relied upon by millions of users often lack the security infrastructure of commercial software.