Notepad++, a widely used open-source code editor, had its update delivery path subverted by a Chinese-linked cyberespionage group that installed a custom backdoor and additional malware on targeted systems, the program's lead developer and independent security researchers said.
Don Ho, the French-based maintainer of Notepad++, published a blog post on Monday outlining the incident and said the attackers began targeting the update process for certain users beginning in June 2025. Ho said the threat actors retained access to the hosting server used to deliver Notepad++ updates through September 2, 2025, and that credentials for some hosting services remained valid until December 2, 2025.
Ho noted he did not have visibility into how many malicious updates were downloaded and that it remained unclear which Notepad++ users were targeted or the total number affected. In email correspondence, he emphasized that the attack appeared to be highly selective - not all users within the compromise window received tampered updates - suggesting deliberate targeting rather than broad distribution.
A spokesperson for the Cybersecurity and Infrastructure Security Agency said the agency "is aware of the reported compromise and is investigating possible exposure across the United States Government (USG)."
Ho's post also included a statement from his hosting provider indicating the server that distributed updates "could have been compromised," and that the attackers specifically targeted the domain associated with Notepad++. Internet registration records show that the domain was hosted by Lithuanian provider Hostinger until January 21, a detail Ho confirmed in email communications.
Hostinger acknowledged the incident in a statement, saying that "a bad actor performed a supply chain attack, during which traffic to the URL of the update file was redirected." The company said it is cooperating with Notepad++ and sharing incident-related information, and that it had published a blog detailing what it could disclose.
Security firm Rapid7 attributed the campaign to a Chinese-linked espionage actor tracked as Lotus Blossom in a blog post published on Monday. Rapid7 noted that Lotus Blossom has been active since 2009 and has previously targeted government entities, telecommunications firms, aviation organizations, critical infrastructure operators and media outlets across Southeast Asia and, more recently, Central America.
In response to the attribution, a spokesperson for the Chinese Embassy in Washington issued a statement asserting that "China opposes and fights all forms of hacking in accordance with the law. We do not encourage, support or connive at cyber attacks. We reject the relevant parties' irresponsible assertion that the Chinese government sponsored hacking activity when it had not presented any factual evidence."
Analysis by the security researchers and the developer indicated the attackers used their access to implant a custom backdoor capable of granting interactive control of compromised machines. That level of access could provide a foothold to exfiltrate data and pivot to other systems on a victim network, according to the technical assessments.
Independent researcher Kevin Beaumont wrote in a December 2, 2025 blog post that he was aware of three organizations with interests in East Asia that experienced security incidents potentially linked to the Notepad++ compromise.
The incident highlights the vulnerability of software update mechanisms when hosting services or domains are targeted, and underscores the challenges developers face in detecting selective, supply-chain intrusions when malicious updates are not widely distributed. Details remain limited on the full scope of impact and which end users received compromised updates during the stated compromise window.
What happened
Attackers hijacked the update process for Notepad++, installed a custom backdoor and other malware on targeted systems, and retained access to the update hosting server until September 2, 2025, with some credentials active until December 2, 2025.
Who has weighed in
- Don Ho, Notepad++ developer - disclosed the incident and provided hosting-provider communications.
- Hostinger - said traffic to the update URL was redirected by a bad actor and is collaborating with Notepad++.
- Rapid7 - attributed the campaign to Lotus Blossom, a group active since 2009 with a history of regional targeting.
- CISA - is investigating potential exposure across the US Government.
- Chinese Embassy in Washington - denied state involvement and rejected the attribution without what it called factual evidence.
Outstanding questions
- Which specific Notepad++ users were targeted and how many downloads of malicious updates occurred remain unknown.
- The full operational scope of the attackers' access to hosting services beyond the disclosed dates has not been detailed.