Cyberespionage Group Breaches Notepad++ Update Process
A cyberespionage group with ties to China has infiltrated the update mechanism of the widely utilized code editing platform, Notepad++, to disseminate a bespoke backdoor alongside various malicious software, according to a blog entry authored by the platform’s developer, Don Ho, and corroborated by cybersecurity experts.
Based in France, Ho disclosed that malicious actors initiated their campaign targeting specific users as early as June 2025. They maintained access to the Notepad++ update server until September 2, 2025, although credentials for certain hosting services were retained until December 2, 2025.
The extent of impact on Notepad++ users remains nebulous; Ho communicated via email that he lacks insights into the precise number of malicious updates that were downloaded.
“What I discern from our investigation is that this attack was meticulously orchestrated—indicating a deliberate selection of targets rather than widespread dissemination,” Ho remarked.
A representative from the Cybersecurity and Infrastructure Security Agency has acknowledged the breach, stating, “We are aware of the reported compromise and are currently investigating potential exposure across the United States Government (USG).”
Compromised Hosting and Targeted Domain
In Ho’s blog, a message from his hosting provider highlighted the possibility of compromise regarding the server tasked with delivering updates, revealing that the hackers intentionally focused on the Notepad++ domain.
Internet registration records indicate that the domain was hosted by the Lithuanian provider, Hostinger, until January 21, a detail that Ho confirmed in his correspondence.
In an email to Reuters, a Hostinger spokesperson elaborated that a “bad actor executed a supply chain attack, redirecting traffic to the update file’s URL.” Hostinger is cooperating with Notepad++ and sharing pertinent information while also publishing relevant updates on their blog.
Attribution to Lotus Blossom
Cybersecurity firm Rapid7 has attributed the hacking campaign to a Chinese-linked group known as Lotus Blossom, active since 2009.
This group has historically targeted sectors including government, telecommunications, aviation, critical infrastructure, and media across Southeast Asia, with more recent incursions into Central America.
A spokesperson for the Chinese Embassy in Washington stated, “China opposes and combats all forms of hacking in accordance with the law. We do not condone cyber attacks, nor support them. We categorically reject the claims that the Chinese government sponsors hacking activities without presenting concrete evidence.”
Potential Risks and Repercussions
The hacking group utilized their access to implant a custom backdoor capable of providing interactive control over compromised systems. Such access could facilitate data theft and subsequent targeting of additional machines, according to expert analysis.
Cybersecurity researcher Kevin Beaumont noted in a blog post from December 2, 2025, the identification of three organizations with interests in East Asia that experienced security incidents potentially connected to Notepad++.
Source link: M.economictimes.com.
