Targeted Attack Hits Notepad++ Update System * Science and Technology Times

A Chinese‑linked cyberespionage group compromised the update mechanism of the open‑source editor Notepad++, delivering a custom backdoor to selected users.
The intrusion lasted several months and involved access to hosting servers and update credentials.
Security researchers say the attack reflects a broader trend of highly selective supply‑chain compromises targeting organizations with strategic value.

A Selective Supply‑Chain Compromise

Notepad++, one of the world’s most widely used open‑source code editors, became the target of a sophisticated supply‑chain attack. Developer Don Ho confirmed that malicious actors infiltrated the update process beginning in June 2025. Their access to the hosting server continued until September, while some credentials remained compromised until December. It remains unclear how many users received the tampered updates.

Ho said the attack was highly selective rather than indiscriminate. Only certain users were served malicious files, suggesting the attackers had specific targets in mind. The developer noted that he had no visibility into the number of affected downloads. His findings were published in a detailed blog post outlining the timeline and nature of the breach.

The U.S. Cybersecurity and Infrastructure Security Agency acknowledged awareness of the incident. Officials are investigating whether any U.S. government systems were exposed. The agency has not yet released further details about potential impact. Its involvement underscores the seriousness of the compromise.

Attribution and Attack Methods

Cybersecurity firm Rapid7 attributed the operation to Lotus Blossom, a Chinese‑linked espionage group active since 2009. The group has historically targeted government, telecom, aviation and media sectors across Southeast Asia. More recently, its activity has expanded into Central America, according to Rapid7’s analysis. The Notepad++ incident fits the group’s pattern of using supply‑chain access to reach high‑value targets.

The attackers used their access to deliver a custom backdoor capable of granting interactive control over infected machines. Compromised systems could then be used to steal data or pivot deeper into organizational networks. Security researcher Kevin Beaumont reported that at least three organizations with interests in East Asia experienced incidents potentially linked to the attack. His findings suggest the campaign may have been broader than initially assumed.

Hostinger, the Lithuanian hosting provider used by Notepad++, confirmed that traffic to the update URL had been redirected. The company said it was cooperating fully with investigators and sharing all available information. Its own blog post described the event as a supply‑chain attack carried out by a “bad actor.” Domain records show that Notepad++ updates were hosted on Hostinger until January 21.

A spokesperson for the Chinese Embassy in Washington rejected claims of state involvement. The statement said China opposes all forms of hacking and does not support cyberattacks. Officials criticized what they described as unfounded accusations lacking factual evidence. Their response mirrors previous denials in similar cases.

Ongoing Impact and Industry Response

The attack highlights the growing risks associated with software supply chains. Open‑source projects are particularly vulnerable because they often rely on distributed infrastructure and volunteer‑maintained systems. Notepad++ is widely used by developers, IT professionals and organizations worldwide, making it an appealing target for espionage groups. The selective nature of the attack suggests the goal was intelligence gathering rather than mass disruption.

Ho emphasized that the attackers specifically targeted the domain associated with Notepad++ updates. This focus indicates a deliberate attempt to compromise trusted distribution channels. The incident has prompted renewed scrutiny of how open‑source projects manage hosting and update security. Many maintainers lack the resources to defend against state‑linked threat actors.

CISA’s involvement may lead to broader guidance for securing update mechanisms. Supply‑chain attacks have become a major concern following high‑profile incidents in recent years. Governments and industry groups are increasingly urging developers to adopt stronger authentication and monitoring practices. The Notepad++ case adds to the growing list of examples illustrating the need for systemic improvements.

Hostinger and Notepad++ continue to investigate the breach. Both parties have published partial findings but say the full scope of the attack is still being assessed. Additional disclosures may emerge as forensic analysis progresses. The long‑term impact on user trust remains to be seen.