Chinese Government-Linked Hackers Compromised Notepad++ Update Mechanism
Notepad++, the widely-used open-source text editor with tens of millions of downloads globally, was hijacked by Chinese state-sponsored hackers who delivered malicious software updates to users over a six-month period in 2025.
The attack ran from June through December 2025, with developers confirming the breach through analysis of malware payloads and attack patterns. The developer of Notepad++, Don Ho, disclosed in a blog post that security researchers determined the threat actor is likely a Chinese state-sponsored group, which explained the highly selective targeting observed during the campaign.
How the Attack Unfolded
The compromise occurred at the infrastructure level rather than through vulnerabilities in Notepad++ itself. Attackers gained access to the shared hosting server and exploited a bug in the software’s update verification controls to redirect certain users to malicious servers under their control.
According to Ho’s disclosure, the attackers “specifically targeted” Notepad++’s web domain, redirecting some users who requested software updates to attacker-controlled servers. This selective redirection allowed the hackers to deliver tainted executables to a limited number of targets with suspected interests in East Asia.
The server was initially compromised until September 2, 2025, when scheduled maintenance included kernel and firmware updates. However, attackers maintained stolen credentials to internal services until December 2, 2025, allowing continued traffic interception.
Security Researchers Identify Custom Malware
Rapid7, which investigated the incident, attributed the hacking to Lotus Blossom, a long-running espionage group known to work for China. The firm identified a custom backdoor dubbed “Chrysalis,” alongside Cobalt Strike and Metasploit frameworks, and noted that targets included government, telecom, aviation, critical infrastructure, and media sectors.
Why Notepad++ Was Targeted
Notepad++ presented an attractive target for supply chain attacks due to its massive user base and widespread deployment across enterprises. The software is used by developers, analysts, and IT operators globally, yet does not require an enterprise contract or license and does not include usage tracking by default, making it difficult to detect in enterprise software inventories.
This characteristic made Notepad++ particularly valuable for espionage operations, as a single successful software update could deliver malware to thousands of environments simultaneously.
Remediation and Response
Ho apologized for the incident and urged users to download version 8.9.1, which contains security fixes. Notepad++ has migrated to a new hosting provider and enhanced WinGup (the updater component) to verify both certificate and signature of downloaded installers.
The incident parallels the 2019-2020 SolarWinds breach, where Russian government spies hacked a software company’s servers and planted backdoors in updates distributed to Fortune 500 organizations and government agencies.
Key Takeaway
The Notepad++ hijacking underscores the critical vulnerability of software distribution channels. As attackers continue to target widely-used development tools, organizations must prioritize verification of software updates and maintain awareness of their software inventory, even for tools distributed freely without enterprise licensing requirements.
Photo by marcinjozwiak on Pixabay