Developers and security analysts disclosed on Monday that a sustained compromise of the update delivery system for the popular code editor Notepad++ allowed attackers to install a tailored backdoor and additional malicious software on targeted machines. Don Ho, the project's France-based lead developer, said in a blog post published on the Notepad++ site that "malicious actors" began targeting the update process for "certain targeted users" in June 2025.
According to Ho, the intruders maintained control of the hosting server used to deliver Notepad++ updates until September 2, 2025, and retained credentials for certain hosting services until December 2, 2025. Ho said he lacked precise visibility into how many users actually received the compromised updates, but emphasized the operation appeared to be deliberately selective rather than broadly distributed.
"What I do know from the investigation is that the attack was highly selective - not all users during the compromise window received malicious updates, indicating deliberate targeting rather than widespread distribution," Ho wrote in an email to reporters.
The project's hosting provider examined the incident and concluded that the server used to supply updates "could have been compromised," and that the attackers specifically focused on the domain associated with Notepad++. Internet registration records show that the domain was hosted by Lithuanian provider Hostinger until January 21, a detail Ho confirmed in his correspondence with investigators. Hostinger did not immediately answer requests for comment.
Cybersecurity firm Rapid7 published an analysis on Monday attributing the campaign to a Chinese-linked cyberespionage group tracked as Lotus Blossom. Rapid7 said Lotus Blossom has been active since 2009 and historically has targeted government, telecommunications, aviation, critical infrastructure and media organizations across Southeast Asia and, more recently, Central America.
Rapid7's analysis indicates the attackers used their access to the update channel to install a custom backdoor enabling interactive control of infected systems. Researchers said that control could be leveraged both to exfiltrate data from compromised computers and to use them as footholds to reach additional systems within targeted networks.
Separately, cybersecurity researcher Kevin Beaumont noted in a December 2, 2025 blog post that he was aware of three organizations "with interests in East Asia" that experienced security incidents potentially connected to Notepad++ updates. Beaumont did not elaborate further in the material cited by the developer and researchers.
The U.S. Cybersecurity and Infrastructure Security Agency confirmed it is "aware of the reported compromise and is investigating possible exposure across the United States Government (USG)," a spokesperson told reporters. The extent of any exposure beyond the agencies currently under review has not been publicly detailed.
The Chinese Embassy in Washington issued a statement rejecting allegations that the government sponsored the activity. The embassy said "China opposes and fights all forms of hacking in accordance with the law. We do not encourage, support or connive at cyber attacks. We reject the relevant parties' irresponsible assertion that the Chinese government sponsored hacking activity when it had not presented any factual evidence."
Don Ho's post and accompanying communications with his hosting provider represent the public account of how the intruders gained sufficient access to manipulate update delivery. Ho underscored the narrow scope of confirmed malicious updates and his team's limited ability to quantify the number of affected users.
Context and next steps
Investigations by Notepad++ developers, third-party security firms and U.S. government cybersecurity officials are continuing. The available public disclosures indicate a focused supply-chain intrusion that leveraged update infrastructure to reach specifically selected targets and that persisted over a period lasting from mid-2025 into early December 2025 for some credentials.
At present, the precise identities and total number of organizations or individuals affected have not been made public. The developer has provided details about compromised hosting and timelines but has not released a comprehensive inventory of impacted users.