Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The developer of the popular Open source Notepad ++ has confirmed that hackers hacked the program to deliver malicious updates to users in a few months in 2025.
In a blog post published on Monday, the developer of Notepad++ Don Ho said that the cyberattack may have been carried out by hackers who cooperated with the Chinese government between June and December 2025, citing several analyzes by security experts who analyzed the payment methods of the malware and the nature of the attacks. Ho said that this would “explain the overwhelming selection” seen during the campaign.
Rapid7, which he investigated what had happenedhe said the hack was carried out by Lotus Blossom, an espionage group known to operate in China, and he said the attacks targeted governments, telecoms, airlines, infrastructure, and the media.
Notepad++ is one of the longest-running open source projects, spanning more than two decades, and has at least tens of millions of downloads to date, including employees of organizations around the world.
According to Kevin Beaumont, a security researcher who he first found out about the cyberattack and documented his findings in December, hackers compromised a few organizations “with interests in East Asia” after someone unknowingly ran a malicious program on popular software. Beaumont said hackers were able to gain “hands-on” access to the computers of victims who were using a version of Notepad++.
Ho said the “exact mechanics” of how the hack got into his servers would have been investigated, but he gave no details on how the attack went down.
In the blog, Ho said that the Notepad++ page was hosted on a shared server. The attackers “inspect” the Notepad++ website with the intention of exploiting a bug in the program to send other users to a malicious server run by the hackers. This led to hackers issuing malicious updates to some users who requested to update the app, until The bug was fixed in November and access to hackers was terminated in early December.
“We have logs showing that the malicious actor attempted to reuse one of the fixed vulnerabilities; however, the attempt failed after the fix was implemented,” Ho wrote.
In an email, Ho told TechCrunch that his provider had confirmed that his shared server had been compromised but the provider did not say how the hackers gained access.
Ho apologized for the incident, and encouraged users to download it the latest version of his program, which contains a fix for the bug.
Cyberattacks targeting Notepad++ users are reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies he got into the company’s servers and secretly planted a backdoor in its software, allowing Russian spies to gain access to data on those customers’ networks when the updates were released.
The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.
Updated with an answer from Ho and more from Rapid7.
