-
A group from China has taken control of Notepad++’s update feature to conduct cyber spying.
-
Using this backdoor, the attackers successfully distributed bespoke malware to limited targets from June until December 2025.
-
U.S. government agencies are now investigating potential exposure across federal systems.
A popular tool used by millions of developers just became a weapon. Hackers didn’t break into Notepad++ directly. They did something smarter and more dangerous. They poisoned the update process itself.
Don Ho, the French developer behind Notepad++, announced the breach of their update system on Monday. Malicious actors carried out the attack, targeting specific Notepad++ users since June 2025. This was not an indiscriminate “spray-and-pray” type attack; instead, hackers picked out specific individuals to attack with precision and planning over time.
Notepad++ Hack – Months of Silent Access
The attackers maintained access to Notepad++’s hosting server until September 2, 2025. Even after that, they held onto credentials for some hosting services until December 2, 2025. That’s six months of opportunity to strike.
Ho explained in a text via email that he couldn’t determine the exact number of malicious updates downloaded. But one thing was crystal clear from the investigation. “The attack was very picky – not all users during the compromise window received malicious updates, hinting at intentional targeting rather than common distribution,” he stated.
A message from Ho’s hosting provider, included in his blog post, confirmed the worst. The server used to deliver updates to customers “could have been compromised.” The hackers specifically went after the domain associated with Notepad++.
The malicious exploitation of hosting infrastructure is a critical vulnerability that law enforcement agencies are actively working to address, as demonstrated by operations like the recent shutdown of a criminal hosting service by Dutch police for its dark web activities.
Hostinger, a company based in Lithuania, hosted the domain until January 21. As a result of the international connection, it complicates the entire picture of the breach scope.
CISA is not taking chances, a representative said that CISA is currently aware of the reported exploit and is examining whether or not there has been an exposure of data throughout the United States Government. Whoever uses Notepad++ for work should be concerned by this statement.
Chinese-sponsored Group Accused of The Attack
Rapid7, a cybersecurity company, has not wasted any time assigning blame for the campaign to a China-based cyberespionage group named Lotus Blossom, and while this group may be new to some readers or organizations, they have operated since 2009.
According to Rapid7’s research, Lotus Blossom has targeted government entities, telecommunications, aviation, critical infrastructure, and media industries. While most of its activities occurred in Southeast Asia, the group has recently expanded into Central America.
Using the compromised updates, the hackers (Lotus Blossom) used a custom backdoor for their attacks, which would give them full access to those systems (computers) and handle stolen data by using those computers as a foothold from where they (Lotus Blossom) could attack/steal from other machines and/or systems within the networks.
The Chinese Embassy in Washington has denied all accusations of their involvement in hacking, calling them both incorrect assertions and completely false statements made without any sort of supporting evidence. A spokesperson stated, “China opposes and firmly rejects all types of hacking under national law.
We do not support, endorse, or enable any cybercrime.” In his December 2, 2025, blog entry, Kevin Beaumont found some additional pieces of worrying information regarding this matter. Beaumont identified three companies potentially affected by the Notepad++ compromise that are “in some way associated with East Asia.”
Security Veteran Proposes Safety Measures
Since supply chain attacks exploit trust, they are especially concerning. Developers build trust with their software developers when they provide software updates to make it more secure. Once hackers steal their update mechanism, even the most careful users fall into the trap.
This high-level threat exists alongside a bustling marketplace of more accessible cybercrime tools, such as the exposed ‘SantaStealer’ Malware-as-a-Service platform, which aimed to equip less sophisticated attackers ahead of the holidays.
For users of Notepad++, especially those working for government or businesses, there is an urgent need to verify your installation, check for suspicious activity, and remain vigilant for any communication from your IT security team. The tools we rely on the most can also be our own weapon.
