Notepad++ update chain hijacked by Chinese Lotus Blossom group
Notepad++ developer Don Ho confirmed that Chinese government-affiliated hackers hijacked the open-source text editor’s update mechanism from June to December 2025, exploiting a shared server bug to deliver malicious updates to select users worldwide.
Don Ho detailed the incident in a blog post published on Monday. He attributed the cyberattack to hackers linked to the Chinese government, based on analyses of malware payloads and attack patterns conducted by multiple security experts. Ho stated that this affiliation “would explain the highly selective targeting” observed in the campaign. The attack involved redirecting certain users requesting software updates to a malicious server controlled by the hackers.
Rapid7, which investigated the breach, identified the perpetrators as the Lotus Blossom espionage group. This group operates on behalf of China and focuses on sectors including government, telecommunications, aviation, critical infrastructure, and media organizations. Lotus Blossom maintains a long track record of such operations, aligning with the patterns seen in the Notepad++ compromise.
Notepad++ qualifies as one of the longest-running open-source projects, with a history exceeding two decades. The software has accumulated at least tens of millions of downloads globally, reaching employees at various organizations across multiple countries. Its widespread adoption made it a viable vector for targeted intrusions.
Security researcher Kevin Beaumont first uncovered the cyberattack and documented his findings in December 2025. He reported that the hackers compromised a small number of organizations maintaining interests in East Asia. These compromises occurred after individuals within those organizations installed a tainted version of Notepad++. Beaumont noted that the attackers achieved “hands-on” access to the victims’ computers running the hijacked software versions.
Ho described the technical execution in his blog post. Notepad++’s website operated on a shared hosting server. The attackers specifically targeted the Notepad++ web domain, exploiting a software bug within it. This vulnerability enabled redirection of specific users to the hackers’ malicious server, which then served harmful updates. The malicious deliveries persisted until Ho patched the bug in November 2025, at which point the hackers’ access ended in early December 2025.
Ho referenced server logs showing the attackers’ subsequent efforts. The logs recorded attempts by the bad actor to re-exploit one of the fixed vulnerabilities, but these efforts failed following implementation of the patch. In an email to TechCrunch, Ho added that his hosting provider verified the compromise of the shared server without revealing the method of the initial breach.
Ho issued an apology for the incident in his communications. He recommended that all users download the most recent version of Notepad++, which incorporates the fix for the exploited bug. This update addresses the vulnerability that facilitated the redirection mechanism.
The Notepad++ incident parallels the 2019-2020 SolarWinds cyberattack. In that case, Russian government spies infiltrated SolarWinds servers. SolarWinds produces IT and network management tools used by large Fortune 500 organizations, including U.S. government departments. The spies inserted a backdoor into the company’s software updates. Once customers deployed these updates, the backdoor granted the spies access to data on the affected networks. The SolarWinds breach impacted agencies such as Homeland Security and the Departments of Commerce, Energy, Justice, and State.
Ho’s blog post and subsequent updates incorporated responses from him along with further details supplied by Rapid7.