Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affected

Threat actors remained undetected for months and distributed malicious updates to Notepad++ users after breaching the popular text editor software, developers have revealed.

In a blog post, lead developer Don Ho said a preliminary investigation into the incident showed hackers went undetected for around six months, with those responsible believed to be a state-affiliated threat group.

“The incident began from June 2025. Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” he wrote.

Ho added that the “infrastructure-level compromise” allowed threat actors to “intercept and redirect update traffic”, with the source of the incident stemming from a hosting provider rather than vulnerabilities within the open source software itself.

“Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests,” Ho explained.

The confirmation follows several weeks of speculation over a potential breach. In early December, security researcher Kevin Beaumont penned a blog post revealing he’d heard from three separate organizations who’d all experienced security incidents with Notepad++.

How Notepad++ was breached

According to Ho, details on the “exact technical mechanism” behind the breach are yet to be determined pending a comprehensive probe.

What we do know so far is that Notepad++ was operated through a shared hosting server and that the incident began in June 2025.

Through this compromised server, attackers were able to manipulate requests from WinGUp, Notepad++’s native updater tool. It’s from here that threat actors were able to redirect users to malicious servers.

The now-former hosting provider confirmed this shared server was compromised until 2 September 2025. Yet despite losing server access, attackers “maintained credentials to internal services” which enabled them to continue distributing malicious updates to users until 2 December.

“Remediation and security hardening” updates were completed by 2 December, according to Ho, which blocked further activity.

Who’s behind the Notepad++ breach?

A separate investigation by Rapid7 Labs attributed the breach to a Chinese APT group, Lotus Blossom.

According to researchers, the state-affiliated group has been active since 2009 and has a reputation for “targeted espionage campaigns” against organizations in Southeast Asia and Central America.

“Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis,” the company noted in an advisory.

What users need to know

As Beaumont noted in his December blog post, Notepad++ issued an update to release version 8.8.8 in November. This patch aimed to “harden the Notepad++ Updater from being hijacked to deliver something… note Notepad++”.

While Beaumont advised users to confirm they’re running a version of the software from 8.8.8 or higher, developers have since urged users to ensure they’re running 8.9.1 or higher.

“I recommend downloading v8.9.1 (which includes the relevant security enhancement) and running the installer to update your Notepad++ manually,” Ho said.

“With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.”

In terms of indicators of compromise (IOCs), Ho noted in his blog post that there are none to share at present.

That doesn’t mean users are left complete in the dark, however. Rapid7’s advisory on the campaign does include IOCs for users who want to clarify whether devices have been targeted.

Cassius Edison, COO of Closed Door Security, said the severity of the breach is “hard to understate” and users should take immediate steps to establish if they’re impacted.

“It’s vital that users ensure their software is updated to the latest version, especially on systems connected to larger networks,” he said.

“The maintainer for Notepad++ has switched to a new host for updates, and has started to implement stricter verification of update binaries on the client side, which should hopefully mitigate any further hijacking attempts moving forward."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.