Hackers tied to China weaponised Notepad++’s update channel for months, pushing malicious builds to selectively target government and critical sectors, exposing supply-chain risks in trusted open source tools.
A supply-chain breach targeting the open source text editor Notepad++ allowed attackers to hijack its software updates for months in 2025, pushing malicious builds to selected users.
Developer Don Ho confirmed the compromise, saying the update mechanism was abused between June and December after attackers redirected some users from the legitimate server to a malicious one. The campaign is likely linked to Chinese government-associated hackers, based on multiple security analyses.
Rapid7 attributed the operation to Lotus Blossom, a long-running China-aligned espionage group, and said targets included government, telecom, aviation, critical infrastructure and media organisations, signalling focused intelligence gathering rather than mass infection.
Notepad++’s website was hosted on a shared server, where attackers “specifically targeted” its domain and exploited a bug to deliver tainted updates. Ho said the “exact technical mechanism” remains under investigation and that the hosting provider confirmed the shared server was compromised.
The vulnerability was fixed in November and attacker access ended in early December. “We do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented,” Ho wrote.
Security researcher Kevin Beaumont, who first discovered the breach, said only a small number of organisations “with interests in East Asia” were hit, with attackers gaining “hands-on” access.
One of the longest-running open source projects with tens of millions of downloads, Notepad++ now joins SolarWinds as a warning that trusted community software and update infrastructure can become state-backed attack vectors.
