Popular open-source coding application targeted in Chinese-linked supply-chain attack

Feb 2 (Reuters) – A Chinese-linked cyberespionage group with a long history hijacked the update process for the popular code editing platform Notepad++ to deliver a custom backdoor and other malware to targeted users, the program’s developer and cybersecurity researchers said on Monday.

Don Ho, the French-based developer of Notepad++, said in a blog posted to the project’s website on Monday that “malicious actors” had targeted the update process for “certain targeted users” beginning in June 2025. The hackers had access to the hosting server used for Notepad++ updates until September 2, 2025, but maintained credentials to some hosting services until December 2, 2025, according to Ho.

It was not clear which Notepad++ users were targeted, or how many. Ho said in an email that he did not have visibility into how many malicious updates were downloaded. “What I do know from the investigation is that the attack was highly selective – not all users during the compromise window received malicious updates, indicating deliberate targeting rather than widespread distribution,” Ho said.

Ho’s blog included a message from his hosting provider concluding that the server used to deliver updates to customers “could have been compromised,” and that the hackers specifically targeted the domain associated with Notepad++.

Internet registration records show that the domain was hosted by Lithuanian hosting provider Hostinger until January 21, a fact Ho confirmed in the email.

Hostinger did not immediately respond to a request for comment.

Cybersecurity firm Rapid7 attributed the hacking campaign to a Chinese-linked cyberespionage group tracked as Lotus Blossom in a blog post posted on Monday. Active since 2009, the group has historically targeted government, telecom, aviation, critical infrastructure and media sectors across Southeast Asia and, more recently, Central America, according to Rapid7.

The Chinese Embassy in Washington did not immediately respond to a request for comment. Beijing regularly denies condoning or participating in hacking activity.

The hacking group used its access to deliver a custom backdoor that could give it interactive control of infected computers, which could then be used as a foothold to steal data and target other computers, according to the analysis.

Kevin Beaumont, a cybersecurity researcher, said in a December 2, 2025, blog post that he was aware of three organizations “with interests in East Asia,” which had security incidents potentially tied to Notepad++.