The developer of Notepad++, a popular open-source text editor, has admitted that hackers took over the software and distributed malicious updates to users over several months in 2025.
In a blog post published on Monday, Notepad++ developer Dong Ho said the cyberattack was likely carried out by Chinese government-affiliated hackers between June and December 2025, citing analysis by security experts. Ho said this “would explain the very selective targeting” seen during the campaign.
Ho did not say how many users were targeted or compromised (if known), and did not respond to questions by press time. (I will update if there is a reply.)
Notepad++ is one of the longest-running open source projects, running for more than 20 years, and has been downloaded at least tens of millions of times, including by employees of organizations around the world.
After someone unknowingly used a contaminated version of the popular software, the hackers compromised a small number of organizations with “interests in East Asia,” said Kevin Beaumont, a security researcher who first discovered the cyberattack and compiled the findings in December. Beaumont said the hackers had “direct” access to the victim's computer, which was running a hijacked version of Notepad++.
Ho said the “exact technical mechanism” of how the hackers infiltrated the server was still being investigated, but provided some details about how the attack ended.
Ho said in his blog that the Notepad++ website is hosted on a shared hosting server. The attackers “specifically targeted” the Notepad++ web domain with the aim of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed hackers to distribute malicious updates to specific users who requested software updates until the bug was fixed in November and the hackers' access was suspended in early December.
“We have logs showing that the attacker attempted to re-exploit one of the fixed vulnerabilities, but the attempt was not successful after the fix was implemented,” Ho wrote.
Ho apologized for the incident and urged users to download the latest version of the software, which includes bug fixes.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack that affected customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government hackers infiltrated the company's servers and secretly planted backdoors in its software, allowing Russian spies to access data on those customers' networks once an update was rolled out.
The SolarWinds breach affected several government agencies, including the Department of Homeland Security, Department of Commerce, Department of Energy, Department of Justice, and Department of State.