The developer of the popular open-source text editor Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users over the course of several months in 2025.
In a blog post published Monday, Notepad++ developer Don Ho stated that the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing an analysis by security experts. Ho said this would explain the highly selective targeting observed during the campaign.
Ho did not specify how many users were targeted or compromised, and did not respond to questions by the time of publication.
Notepad++ is one of the longest running open-source projects, spanning more than two decades, and counts at least tens of millions of downloads to date, including by employees at organizations worldwide.
According to security researcher Kevin Beaumont, who first discovered the cyberattack in December, the hackers compromised a small number of organizations with interests in East Asia after someone unwittingly used a tainted version of the software. Beaumont said the hackers gained hands-on access to the computers of victims running hijacked versions of Notepad++.
Ho explained that the exact technical mechanism of the breach remains under investigation, but provided some details. Notepad++’s website was hosted on a shared server. The attackers specifically targeted the web domain to exploit a bug, redirecting some users to a malicious server run by the hackers. This allowed them to deliver malicious updates to certain users requesting a software update until the bug was fixed in November and the hackers’ access was terminated in early December.
Ho noted that logs indicate the bad actor tried to re-exploit one of the fixed vulnerabilities, but the attempt did not succeed after the fix was implemented.
He apologized for the incident and urged users to download the most recent version of the software, which contains a fix for the bug.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large organizations. Russian government hackers broke into that company’s servers and secretly planted a backdoor in its software, allowing spies to access data on customer networks once the update rolled out. The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.