Breaking News
A Chinese-linked cyberespionage group hijacked the software update mechanism of the popular code editor Notepad++ to distribute a custom backdoor and other malicious tools to a select group of users, according to the platform’s developer and cybersecurity researchers.
Don Ho, the France-based developer of Notepad++, said in a blog post on Monday that “malicious actors” interfered with the project’s update infrastructure beginning in June 2025. The attackers gained access to the server used to host software updates until September 2, 2025, and retained credentials for some related hosting services until December 2, 2025, he said.
Ho said the attack was highly targeted, rather than a broad supply-chain compromise. “Not all users during the compromise window received malicious updates, indicating deliberate targeting,” he said in an email, adding that he does not have visibility into how many infected updates were ultimately downloaded.
It remains unclear which users were targeted or what criteria the attackers used to select victims. A message included in Ho’s blog post from the hosting provider concluded that the server responsible for distributing updates “could have been compromised,” and that the attackers specifically focused on the domain linked to Notepad++ update delivery.
The Cybersecurity and Infrastructure Security Agency (CISA) said it is aware of the reported compromise and is investigating potential exposure across the United States government.
Cybersecurity firm Rapid7 attributed the campaign to a Chinese-linked threat group known as Lotus Blossom. Active since at least 2009, the group has a history of targeting government agencies, telecommunications providers, aviation, critical infrastructure and media organisations, particularly across Southeast Asia and, more recently, Central America, Rapid7 said.
According to Rapid7’s analysis, the attackers used their access to deliver a customised backdoor that could provide interactive control over infected machines. Such access could allow the group to steal sensitive data, move laterally within networks and use compromised systems as a launching point for further attacks.
The incident highlights growing concerns around software supply-chain security, particularly for widely used open-source tools. By compromising trusted update mechanisms, attackers can bypass traditional security controls and deliver malware under the guise of legitimate software updates.
Ho said steps have been taken to secure the update infrastructure and revoke compromised credentials, and that the project is reviewing additional safeguards to prevent similar incidents in the future.
Security experts warned that the case underscores the risks facing developers and users alike, as sophisticated threat actors increasingly target software distribution channels to gain stealthy, long-term access to high-value systems.
Don Ho, the France-based developer of Notepad++, said in a blog post on Monday that “malicious actors” interfered with the project’s update infrastructure beginning in June 2025. The attackers gained access to the server used to host software updates until September 2, 2025, and retained credentials for some related hosting services until December 2, 2025, he said.
Ho said the attack was highly targeted, rather than a broad supply-chain compromise. “Not all users during the compromise window received malicious updates, indicating deliberate targeting,” he said in an email, adding that he does not have visibility into how many infected updates were ultimately downloaded.
It remains unclear which users were targeted or what criteria the attackers used to select victims. A message included in Ho’s blog post from the hosting provider concluded that the server responsible for distributing updates “could have been compromised,” and that the attackers specifically focused on the domain linked to Notepad++ update delivery.
The Cybersecurity and Infrastructure Security Agency (CISA) said it is aware of the reported compromise and is investigating potential exposure across the United States government.
Cybersecurity firm Rapid7 attributed the campaign to a Chinese-linked threat group known as Lotus Blossom. Active since at least 2009, the group has a history of targeting government agencies, telecommunications providers, aviation, critical infrastructure and media organisations, particularly across Southeast Asia and, more recently, Central America, Rapid7 said.
According to Rapid7’s analysis, the attackers used their access to deliver a customised backdoor that could provide interactive control over infected machines. Such access could allow the group to steal sensitive data, move laterally within networks and use compromised systems as a launching point for further attacks.
The incident highlights growing concerns around software supply-chain security, particularly for widely used open-source tools. By compromising trusted update mechanisms, attackers can bypass traditional security controls and deliver malware under the guise of legitimate software updates.
Ho said steps have been taken to secure the update infrastructure and revoke compromised credentials, and that the project is reviewing additional safeguards to prevent similar incidents in the future.
Security experts warned that the case underscores the risks facing developers and users alike, as sophisticated threat actors increasingly target software distribution channels to gain stealthy, long-term access to high-value systems.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
