Chinese state hackers hijacked Notepad++ software updates for 6 months in a targeted supply chain attack, compromising systems via trojanized updates.

Continue reading
In a sophisticated software supply chain attack reminiscent of the SolarWinds breach, the developer of the widely-used Notepad++ text editor has confirmed that hackers linked to the Chinese government hijacked its software updates for months, delivering malware to a select group of high-value targets.
The campaign, which security researchers attribute to the long-running Chinese espionage group known as Lotus Blossom, compromised the update mechanism of a piece of software trusted by millions of developers and IT professionals worldwide.
According to Notepad++ developer Don Ho, the attack persisted from June to December 2025. The threat actors achieved initial access by compromising the shared hosting server where the Notepad++ website (`notepad-plus-plus.org`) was hosted.
The attackers' primary goal was to exploit a specific bug within the Notepad++ software itself. After compromising the web server, they manipulated the infrastructure to redirect a subset of users to a malicious server they controlled. This redirection occurred only when those users utilized the software's built-in update checker.
Multiple independent analyses point to state-sponsored Chinese hackers as the perpetrators. Security firm Rapid7 formally attributes the activity to Lotus Blossom (also tracked as Bronze President or Earth Lusca), a group known for conducting cyber-espionage for over a decade.
The targeting was highly deliberate. Security researcher Kevin Beaumont, who first discovered and publicized the campaign in December 2025, noted that the compromised victims were a "small number of organizations with interests in East Asia." Rapid7's investigation identified targets within government, telecommunications, aviation, critical infrastructure, and media sectors.
This selective, intelligence-driven approach explains why the widespread compromise of a popular software channel did not result in a global, noisy malware outbreak. The operators were hunting for specific data from specific entities.
Notepad++ is a cornerstone of the open-source software ecosystem. With a development history spanning over two decades, it has been downloaded tens of millions of times and is a staple tool for programmers, system administrators, and writers across corporations, governments, and individual devices globally.
The breach's significance lies in its methodology, not its breadth. By compromising a trusted software vendor's update channel—a technique known as a software supply chain attack—the hackers gained a potent foothold in target networks. This method bypasses many traditional security defenses, as the malicious activity originates from a trusted source.
The incident draws direct parallels to the 2020 SolarWinds breach, where Russian foreign intelligence agents injected a backdoor into a network management software's updates, compromising thousands of organizations, including multiple U.S. government agencies. While the scale of the Notepad++ attack appears more targeted, the underlying tactic is identical: subvert the trust between software and user to enable espionage.
Developer Don Ho has publicly apologized for the incident. In a blog post, he urged all users to download the most recent, clean version of Notepad++ from the official repository, which contains the fix for the exploited bug. He confirmed that logs show unsuccessful attempts by the attackers to re-exploit the system after the vulnerabilities were patched.
The "exact technical mechanism" of the initial server breach remains under investigation. Ho told TechCrunch that while the hosting provider confirmed the shared server was compromised, it did not specify the initial attack vector used by the hackers.
The Notepad++ incident serves as a stark reminder that in the interconnected digital ecosystem, the security of one open-source project can have profound implications for global cybersecurity.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.