The developer of the widely used open-source text editor, Notepad++, has confirmed that threat actors compromised the software’s update mechanism to distribute malware to users for several months in 2025. This sophisticated supply-chain attack allowed unauthorized access to targeted systems across global infrastructure sectors.
State-Sponsored Espionage Campaign
In an official blog post, Notepad++ developer Don Ho identified the perpetrators as hackers linked to the Chinese government. The campaign, which spanned from June to December 2025, utilized highly selective targeting, a hallmark of state-sponsored operations.
Security firm Rapid7, which investigated the incident, attributed the breach to the “Lotus Blossom” espionage group. This collective is known for targeting critical sectors, including government, telecommunications, aviation, media, and essential infrastructure.
The Mechanism of the Breach
The attackers gained control by exploiting a vulnerability within the shared hosting server used by Notepad++. By redirecting specific users to a malicious server, the hackers successfully pushed infected software updates. Security researcher Kevin Beaumont, who first exposed the campaign in December, noted that the breach provided attackers with “hands-on” access to the machines of victims, specifically those with interests in East Asia.
Don Ho stated that while the exact initial entry point remains under investigation by his hosting provider, the malicious activity was effectively neutralized after a bug fix was deployed in November. Logs indicate that the hackers attempted to re-exploit the vulnerability following the patch, but these efforts proved unsuccessful.
Supply-Chain Risks and Mitigation
This incident draws comparisons to the 2019-2020 SolarWinds breach, where Russian state-sponsored actors injected backdoors into software updates to compromise government agencies, including the Departments of Commerce, Energy, and Justice. Similarly, the Notepad++ attack underscores the extreme risks inherent in supply-chain vulnerabilities for software used by millions globally.
Don Ho has issued a formal apology and is urging all users to secure their systems immediately. To mitigate further risk, users must download the most recent version of Notepad++, which contains the critical security patches required to close the exploited loopholes.