For months in 2025, the open-source community was rocked by a stealthy cyberattack that targeted Notepad++, a beloved text editor used by millions worldwide. The breach, which was finally disclosed by developer Don Ho on February 2, 2026, revealed a sophisticated supply chain compromise that allowed suspected Chinese state-sponsored hackers to deliver malicious updates to a select group of users. The incident has reignited concerns over software supply chain vulnerabilities—even among long-established, widely trusted open-source projects.
According to multiple reports, including a statement from Notepad++’s own website and analyses by security firms such as Rapid7, the attack began in June 2025 and continued until early December of that year. The hackers, attributed by experts to the Chinese espionage group Lotus Blossom, exploited weaknesses in Notepad++’s update infrastructure—not the source code itself. By compromising the project’s shared hosting server, the attackers were able to intercept and redirect update traffic intended for notepad-plus-plus.org, sending certain users to malicious servers instead. This allowed them to deliver tampered update manifests and, ultimately, malicious payloads to a narrow set of victims.
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” read Notepad++’s announcement, as reported by BleepingComputer. The hackers’ interest wasn’t in infecting the masses; instead, their campaign focused on organizations with interests in East Asia, particularly in the government, telecom, aviation, critical infrastructure, and media sectors. Security researcher Kevin Beaumont, who was among the first to uncover the breach, noted, “I’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago.”
The technical details of the breach highlight the complexity and subtlety of modern supply chain attacks. Unlike incidents where hackers tamper with software source code, this attack relied on an “on-path” approach. The attackers compromised the server hosting Notepad++’s update mechanism, then redirected update requests from specific users to their own infrastructure. This allowed them to serve malicious updates while leaving the vast majority of users untouched. The Notepad++ team emphasized, “The campaign was not a mass attack and did not affect all users,” as cited by TechCrunch.
Investigations revealed that the attackers first gained access to the shared hosting server in June 2025. The breach was temporarily interrupted in early September when the server’s kernel and firmware were updated, cutting off the hackers’ access. However, the attackers had already secured internal service credentials, which allowed them to regain their foothold and continue redirecting update traffic until December 2, 2025, when the hosting provider finally detected the intrusion and terminated their access. As Don Ho explained, “Even though the bad actors have lost access to the server from the 2nd of September, 2025, they maintained the credentials of our internal services existing on that server until the 2nd of December, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return the updates download URL with compromised updates.”
Security firm Rapid7, which conducted a detailed technical analysis, attributed the attack to Lotus Blossom (also known as Raspberry Typhoon, Bilbug, and Spring Dragon). The group deployed a previously undocumented custom backdoor dubbed Chrysalis. Rapid7’s report noted, “The only confirmed behavior is that execution of ‘notepad++.exe’ and subsequently ‘GUP.exe’ preceded the execution of a suspicious process ‘update.exe’.” While no definitive indicators of compromise were found in the server logs, this pattern raised red flags for investigators and victims alike.
The Notepad++ incident draws uncomfortable parallels to previous high-profile supply chain attacks. The SolarWinds breach of 2019-2020, which saw Russian government hackers plant a backdoor in software updates for Fortune 500 companies and U.S. government agencies, is perhaps the most infamous example. Similarly, the 2018 ShadowHammer campaign compromised ASUS’s update infrastructure, affecting hundreds of thousands of users but ultimately targeting only a few hundred specific victims. As SentinelOne observed, “Although the malicious updates were distributed to potentially hundreds of thousands of systems, the attackers appeared interested in only a few hundred specific targets.”
In the wake of the attack, the Notepad++ development team moved quickly to shore up their defenses. The website and update infrastructure were migrated to a new hosting provider, and all potentially compromised credentials were rotated. Starting with version 8.8.9, released in December 2025, the WinGUp updater began verifying installer certificates and signatures, and the update XML file is now cryptographically signed. According to the team, mandatory certificate signature verification will be enforced in version 8.9.2, expected for release in the coming month.
Users have been strongly urged to upgrade to the latest version as a precaution. “I deeply apologize to all users affected by this hijacking,” wrote Don Ho in his public statement. He also advised users to change credentials for SSH, FTP/SFTP, and MySQL, review WordPress admin accounts, update plugins and themes, and enable automatic updates where possible. Organizations were encouraged to check for suspicious network requests from gup.exe, unexpected processes spawned by the installer, and the presence of files like update.exe or AutoUpdater.exe in the user TEMP folder.
The attack has prompted renewed warnings about the risks inherent in software supply chains, particularly for open-source projects that rely on shared infrastructure and community-driven development. As the Notepad++ team noted, “The incident highlights ongoing concerns about software supply chain security.” While open-source software offers transparency and flexibility, it can also present unique challenges for maintaining security, especially when infrastructure is shared among multiple projects.
Attribution in cyberattacks is always fraught with uncertainty. While multiple independent researchers and firms have linked the Notepad++ incident to Chinese state-sponsored actors based on targeting behavior and operational patterns, direct evidence remains elusive. As the developers themselves acknowledged, “Such attributions are typically based on infrastructure reuse, targeting behavior and operational characteristics rather than direct evidence, and remain difficult to verify conclusively.”
Still, the lessons from the Notepad++ hijacking are clear: even trusted, widely used tools are not immune to sophisticated attacks. The episode serves as a wake-up call for software maintainers, enterprises, and end users alike to remain vigilant, adopt robust security practices, and stay informed about emerging threats. In an era where digital infrastructure underpins everything from government operations to everyday communication, the integrity of our software supply chains has never been more critical.
:sharpen(0.5,0.5,true)/tpg%2Fsources%2F89c94b90-ebdb-4aab-88fc-227c1e3ccc57.jpeg)
:sharpen(0.5,0.5,true)/tpg%2Fsources%2Fedb1d01e-fbfe-4ea2-bf70-8268c1defbef.jpeg)
:sharpen(0.5,0.5,true)/tpg%2Fsources%2F53f4d6d8-f385-4506-9a65-901ca163ce29.jpeg)