Notepad++ says Chinese government hackers hijacked its software updates for months

The developer of the fashionable open-source substance exertion Notepad++ has confirmed that hackers hijacked the bundle to present malicious updates to users implicit the people of respective months successful 2025.

In a blog post published Monday, Notepad++ developer Don Ho said that the cyberattack was apt carried retired by hackers associated with the Chinese authorities betwixt June and December 2025, citing an investigation by information experts. Ho said this “would explicate the highly selective targeting” seen during the campaign.

Ho did not accidental however galore users were targeted oregon however galore were compromised — if known — and did not respond to questions by the clip of publication. (If we perceive back, we volition update.)

Notepad++ is 1 of the longest moving open-source projects, spanning much than 2 decades, and it counts astatine slightest tens of millions of downloads to date, including by employees astatine organizations astir the world.  

According to Kevin Beaumont, a information researcher who first discovered the cyberattack and wrote up his findings successful December, the hackers compromised a tiny fig of organizations “with interests successful East Asia” aft idiosyncratic unwittingly utilized a tainted mentation of the fashionable software. Beaumont said that the hackers were capable to summation “hands-on” entree to the computers of victims who were moving hijacked versions of Notepad++. 

Ho said that the “exact method mechanism” of however the hackers broke into his servers remains nether investigation, but provided immoderate details arsenic to however the onslaught went down. 

In the blog, Ho said that Notepad++’s website was hosted connected a shared hosting server. The attackers “specifically targeted” Notepad++’s web domain with the extremity of exploiting a bug successful the bundle to redirect immoderate users to a malicious server tally by the hackers. This allowed the hackers to present malicious updates to definite users who had requested a bundle update, until the bug was fixed successful November and the hackers’ entree was terminated successful aboriginal December.

“We bash person logs indicating that the atrocious histrion tried to re-exploit 1 of the fixed vulnerabilities; however, the effort did not win aft the hole was implemented,” wrote Ho. 

Ho apologized for the incident, and urged users to download the most caller version of his software, which contains a hole for the bug.

The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a bundle institution that makes IT and web absorption tools for ample Fortune 500 organizations, including authorities departments. Russian authorities hackers broke into the company’s servers and secretly planted a backdoor successful its software, allowing the Russian spies to entree information connected those customers’ networks erstwhile the update had rolled out.

The SolarWinds breach affected respective authorities agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.