Notepad++ says Chinese government hackers have been hijacking its software updates for months

The developer of the popular open source text editor Notepad++ has confirmed that hackers have hijacked the software to deliver malicious updates to users over the course of several months in 2025.

In a blog post published on Monday, Notepad++ developer Don Hu said the cyberattack was likely carried out by hackers linked to the Chinese government between June and December 2025, citing an analysis by security experts. This “explains the very selective targeting” seen during the campaign, Ho said.

He did not say how many users were targeted or how many were hacked — if known — and did not respond to questions by press time. (If we hear back, we’ll update.)

Notepad++ is one of the longest running open source projects, spanning more than two decades, and has had at least tens of millions of downloads to date, including by employees at organizations around the world.

According to Kevin Beaumont, the security researcher who first discovered the cyberattack and wrote up his findings in December, hackers compromised a small number of organizations “with interests in East Asia” after someone unwittingly used a tainted version of the popular software. Beaumont said the hackers gained “practical” access to the computers of victims who were running hijacked versions of Notepad++.

Hu said the “exact technical mechanism” of how the hackers broke into his servers was still under investigation, but he provided some details about how the attack occurred.

In the blog, he said that the Notepad++ website was hosted on a shared hosting server. The attackers “specifically” targeted Notepad++’s web domain with the aim of exploiting a software bug to redirect some users to a malicious server run by hackers. This allowed the hackers to deliver malicious updates to some users who requested the software update, until the flaw was fixed in November and the hackers’ access was terminated in early December.

“We have records indicating that the bad actor attempted to re-exploit one of the fixed vulnerabilities; however, the attempt was unsuccessful after the fix was implemented,” he wrote.

He apologized for the incident and urged users to download the latest version of his software, which contains a fix for the bug.

The cyberattack targeting Notepad++ users is somewhat reminiscent of a 2019-2020 cyberattack that affected customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government hackers broke into the company’s servers and secretly planted a backdoor in its software, allowing Russian spies to access data on those customers’ networks once the update was rolled out.

The SolarWinds hack affected multiple government agencies, including the Department of Homeland Security and the Departments of Commerce, Energy, Justice, and State.