The developer of the favored open supply textual content editor Notepad++ has confirmed that hackers hijacked the software program to ship malicious updates to customers over the course of a number of months in 2025.
In a blog post revealed Monday, Notepad++ developer Don Ho stated that the cyberattack was seemingly carried out by hackers related to the Chinese language authorities between June and December 2025, citing a number of analyses by safety specialists who examined the malware payloads and assault patterns. Ho stated this “would clarify the extremely selective focusing on” seen through the marketing campaign.
Rapid7, which investigated the incident, attributed the hacking to Lotus Blossom, a long-running espionage group recognized to work for China, and stated the hacks focused authorities, telecom, aviation, essential infrastructure, and media sectors.
Notepad++ is likely one of the longest-running open supply initiatives, spanning greater than 20 years, and it counts a minimum of tens of thousands and thousands of downloads up to now, together with by workers at organizations around the globe.
Based on Kevin Beaumont, a safety researcher who first discovered the cyberattack and wrote up his findings in December, the hackers compromised a small variety of organizations “with pursuits in East Asia” after somebody unwittingly used a tainted model of the favored software program. Beaumont stated that the hackers have been in a position to acquire “hands-on” entry to the computer systems of victims who have been operating hijacked variations of Notepad++.
Ho stated that the “actual technical mechanism” of how the hackers broke into his servers stays underneath investigation, however supplied some particulars as to how the assault went down.
Within the weblog, Ho stated that Notepad++’s web site was hosted on a shared internet hosting server. The attackers “particularly focused” Notepad++’s internet area with the purpose of exploiting a bug within the software program to redirect some customers to a malicious server run by the hackers. This allowed the hackers to ship malicious updates to sure customers who had requested a software program replace, till the bug was fixed in November and the hackers’ entry was terminated in early December.
“We do have logs indicating that the dangerous actor tried to re-exploit one of many mounted vulnerabilities; nonetheless, the try didn’t succeed after the repair was applied,” wrote Ho.
In an e-mail, Ho advised TechCrunch that his internet hosting supplier confirmed his shared server was compromised however that the supplier didn’t say how the hackers initially broke in.
Ho apologized for the incident, and urged customers to obtain the most recent version of his software program, which accommodates a repair for the bug.
The cyberattack focusing on Notepad++ customers is considerably harking back to the 2019-2020 cyberattack affecting prospects of SolarWinds, a software program firm that makes IT and community administration instruments for big Fortune 500 organizations, together with authorities departments. Russian authorities spies hacked into the corporate’s servers and secretly planted a backdoor in its software program, permitting the Russian spies to entry information on these prospects’ networks as soon as the replace had rolled out.
The SolarWinds breach affected a number of authorities companies, together with Homeland Safety and the Departments of Commerce, Vitality, Justice, and State.
Up to date with a response from Ho and with extra particulars from Rapid7.
