A cyberattack involving the popular open source text editor Notepad++ has been confirmed, resulting in malicious updates being distributed to users over several months in 2025. The attack, attributed to the Chinese government-affiliated group known as Lotus Blossom, targeted various sectors, including government and critical infrastructure, as noted by the security firm Rapid7.
This breach occurred between June and December 2025, with the infiltration enabled through a compromised shared hosting server used by Notepad++. Developer Don Ho explained that hackers exploited a vulnerability in the software to redirect users to their malicious server, delivering harmful updates until the issue was resolved in November.
Security researcher Kevin Beaumont highlighted that a limited number of organizations with interests in East Asia were compromised after users inadvertently installed the infected software. While the precise method of the initial breach remains under investigation, records indicate that attempts to exploit fixed vulnerabilities were made but ultimately failed.