Chinese-linked hackers operated a backdoor in the popular Notepad++ code editor for more than six months, targeting specific users through a compromised update server. The attack began in June 2025 and continued until December, according to security researchers and the software's developer.
Notepad++ maintainer Don Ho confirmed the breach in a February 2 blog post. Hackers gained access to the hosting server used for software updates until September 2, 2025, and maintained credentials to some hosting services until December 2.
The French-based developer said the attack was "highly selective," with not all users receiving malicious updates during the compromise window.
Cybersecurity firm Rapid7 attributed the campaign to a Chinese-linked group tracked as Lotus Blossom. The state-sponsored hacking group has been active since 2009 and historically targets government, telecom, aviation, critical infrastructure, and media sectors across Southeast Asia and Central America.
The attack delivered a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor. Researchers found the download included an NSIS installer that sideloaded a malicious DLL and encrypted shellcode for backdoor installation. Launched shellcode functioned as a Metasploit downloader that drops a Cobalt Strike beacon.
Victims spanned multiple regions, with Rapid7's telemetry showing affected organizations in the Asia-Pacific region. Industry peers also reported victims in South America, according to Christiaan Beek, senior director of threat intelligence and analytics at Rapid7.
Targeted sectors included telecom, government, and transportation.
"A CISA spokesperson said the agency 'is aware of the reported compromise and is investigating possible exposure across the United States Government (USG).'"
Notepad++ addressed the vulnerability in December 2025 with the release of version 8.8.9. The update patched WinGUp's security practices to verify the certificate and signature of downloaded installers. The software has since migrated to a new hosting provider with stronger security practices and rotated all credentials.
Kevin Beaumont, a cybersecurity researcher, said in a December 2, 2025 blog post that he was aware of three organizations "with interests in East Asia" with security incidents potentially tied to Notepad++. The custom backdoor could give attackers interactive control of infected computers, creating footholds for data theft and further network targeting.
The attack represents a sophisticated supply-chain compromise that leveraged the software's update mechanism. Researchers noted the mix of custom malware alongside commodity frameworks like Metasploit and Cobalt Strike, combined with rapid adaptation of public research on Microsoft Warbird abuse.
Notepad++ is a Windows-based code and text editor first released in 2003. The open-source tool is widely used by developers, IT administrators, engineers, and analysts across various industries.
The selective targeting suggests the attackers focused on specific high-value organizations rather than attempting mass infection.
Security researchers began surfacing reports of incidents linked to Notepad++ in November 2025. The campaign remained active through December, with the hosting provider concluding that the server "could have been compromised" and that hackers specifically targeted the domain associated with Notepad++.
Internet registration records show the domain was hosted by Lithuanian hosting provider Hostinger until January 21.
"The Chinese Embassy in Washington rejected allegations of government-sponsored hacking, stating China 'opposes and fights all forms of hacking in accordance with the law' and does not 'encourage, support or connive at cyber attacks.'"
The incident highlights ongoing concerns about software supply-chain security, particularly for open-source projects with smaller development teams. Similar China-linked campaigns targeting software suppliers have been documented by Google, which reported active intrusions using stealthy malware designed to hide for extended periods.
This follows other code editor security issues, including Microsoft's VS Code Snap package failing to properly delete files on Linux.
Notepad++ users who installed updates between June and December 2025 should verify they are running version 8.8.9 or later. The software's maintainer recommends checking for any suspicious processes that may have been downloaded during the compromise window.
