Notepad++ has confirmed that it was at the centre of a quiet but serious cyberattack in 2025, after hackers believed to be linked to a Chinese group hijacked parts of its update infrastructure to target specific users over several months. The incident, which ran largely undetected at the time, involved attackers redirecting update requests from selected users to malicious servers, allowing them to deliver tampered versions of the popular open-source text editor.
According to Notepad++ maintainer Don Ho, the attack began around June 2025 and continued until early December, when the attackers’ access was finally cut off. Crucially, this wasn’t a case of hackers breaking into Notepad++’s source code or sneaking malicious changes into its build system.
The company's blog post stated, "The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests."
Emmanuel Umahi
By exploiting weaknesses in older versions of Notepad++’s update verification process, the attackers were able to selectively redirect certain users, not everyone, to servers under their control.
That selective targeting is one of the reasons the attack stayed under the radar for so long. Security researchers say the victims were largely organisations with strategic value, including government agencies, telecom companies, financial services firms, and media organisations, particularly those with interests in East Asia.
Rapid7, which investigated the incident, attributed the campaign to Lotus Blossom, a long-running China-linked espionage group, and found that the attackers delivered a previously undocumented backdoor dubbed Chrysalis. The malware was capable of gathering system information, executing commands, and downloading additional payloads, giving attackers hands-on access to infected machines.
Other industry experts have pointed out that the attack highlights a growing blind spot in software security. Even though the malicious updates were signed and appeared legitimate, the attackers effectively inserted themselves into the trusted update path. As BeyondTrust’s Morey Haber noted, "Once the updater was hijacked, the threat actor became a part of the trusted execution path for updates."
For everyday users, the risk may have been low, but for targeted organisations, the impact could be significant.
In response, Notepad++ has already rolled out fixes and made major changes to its update process. The project has moved to a new hosting provider, rotated all credentials, and strengthened its update verification system. Newer versions now enforce stricter checks, including validating digital signatures and certificates before installing any update. Ho has urged users to download the latest version to ensure they’re protected.
Louis Eriakha
