The creator of the widely-used open-source text editor, Notepad++, has reported a serious security breach where hackers manipulated the software to send harmful updates to users over several months in 2025.
In a recent blog entry, Don Ho, the developer behind Notepad++, indicated that the cyberattack was likely executed by hackers linked to the Chinese government, occurring between June and December 2025. This assertion comes from a thorough analysis conducted by cybersecurity experts, suggesting a targeted approach during the attack.
Ho did not disclose the exact number of users affected or the extent of the compromise, but he has committed to providing updates as more information becomes available.
Notepad++ has been a prominent open-source initiative for over twenty years, boasting millions of downloads globally, including by professionals in various organizations.
Security researcher Kevin Beaumont, who initially uncovered the breach, noted that a limited number of organizations with interests in East Asia were compromised after a user unknowingly utilized a corrupted version of the software. This allowed the hackers to gain direct access to the computers of those running the hijacked Notepad++ versions.
While the precise method of the breach is still under investigation, Ho shared insights into the attack's execution. He explained that the Notepad++ website was hosted on a shared server, and the attackers specifically targeted its domain to exploit a vulnerability that redirected some users to a malicious server controlled by them. This enabled the hackers to deliver harmful updates to unsuspecting users until the issue was resolved in November, and their access was cut off in early December.
Ho mentioned that logs indicated attempts by the hackers to exploit a fixed vulnerability again, but these efforts were unsuccessful post-fix implementation.
In light of this incident, Ho expressed his regret and encouraged users to download the latest version of Notepad++, which includes a fix for the vulnerability.
This incident echoes the notorious SolarWinds cyberattack from 2019-2020, where Russian hackers infiltrated the company's servers, embedding a backdoor in their software that allowed unauthorized access to various customers' networks.
