Paris, France. A Chinese-linked cyberespionage group hijacked the update process for the code editing platform Notepad++ to deliver a custom backdoor and other malware to targeted users, the program’s developer and cybersecurity researchers said.
Developer details compromise timeline
Notepad++ developer Don Ho said in a blog post on Monday that “malicious actors” targeted the update process for “certain targeted users” beginning in June 2025. Ho said the hackers had access to the hosting server used for Notepad++ updates until September 2, 2025, but maintained credentials to some hosting services until December 2, 2025.
It was not clear which Notepad++ users were targeted or how many. Ho said in an email that he did not have visibility into how many malicious updates were downloaded and that the attack was highly selective, indicating deliberate targeting rather than widespread distribution.
Hosting and domain information
Ho’s blog included a message from his hosting provider concluding that the server used to deliver updates to customers “could have been compromised,” and that the hackers specifically targeted the domain associated with Notepad++.
Internet registration records show the domain was hosted by Lithuanian hosting provider Hostinger until January 21, which Ho confirmed in the email. Hostinger did not immediately respond to a request for comment.
Rapid7 attribution and alleged group history
Cybersecurity firm Rapid7 attributed the campaign to a Chinese-linked cyberespionage group tracked as Lotus Blossom in a blog post on Monday. Rapid7 said the group has been active since 2009 and has historically targeted government, telecom, aviation, critical infrastructure and media sectors across Southeast Asia and, more recently, Central America.
The Chinese Embassy in Washington did not immediately respond to a request for comment. Beijing regularly denies condoning or participating in hacking activity.
Malware capabilities and related incidents
Rapid7 said the group used its access to deliver a custom backdoor that could give it interactive control of infected computers, which could then be used as a foothold to steal data and target other computers.
Cybersecurity researcher Kevin Beaumont said in a December 2, 2025, blog post that he was aware of three organizations “with interests in East Asia” that had security incidents potentially tied to Notepad++.
How has your organization verified the integrity of software updates for commonly used tools?
