Notepad++ confirms Chinese government hackers hijacked software updates for months

The developer of Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users over the course of several months in 2025. In a blog post published Monday, developer Don Ho said that the cyberattack was likely carried out Ho said this would explain the highly selective targeting seen during the campaign. Rapid7 attributed the hacking to Lotus Blossom, a long-running espionage group known to work for China, and said the hacks targeted government, telecom, aviation, critical infrastructure, and media sectors. Kevin Beaumont, a security researcher who first discovered the cyberattack, said the hackers compromised a small number of organizations with interests in East Asia after someone unwittingly used a tainted version of the software. Beaumont said the hackers were able to gain hands-on access to the computers of victims who were running hijacked versions of Notepad++. Ho said the exact technical mechanism of how the hackers broke into his servers remains under investigation. The attackers specifically targeted Notepad++'s web domain with the goal of exploiting a bug in the software to redirect some users to a malicious server. This allowed the hackers to deliver malicious updates to certain users until the bug was fixed in November and the hackers' access was terminated in early December. Ho said his hosting provider confirmed his shared server was compromised but did not say how the hackers initially broke in. Ho apologized for the incident and urged users to download the most recent version of his software, which contains a fix for the bug. Ho wrote that logs indicate the bad actor tried to re-exploit one of the fixed vulnerabilities, but the attempt did not succeed after the fix was implemented.