Notepad++ Hacked by Chinese State Hackers: Malware Dropped via Updates for 6 Months

The developer behind Notepad++, one of the most widely used open-source text editors among programmers and IT professionals, has revealed a prolonged cyberattack attributed to Chinese government-backed hackers. The breach allowed attackers to hijack software updates, delivering malware to a select group of users between June and December 2025.

Notepad++ creator Don Ho detailed the incident in a blog post on February 2, 2026, confirming findings from security researcher Kevin Beaumont, who first uncovered the attack in December 2025. The hackers gained control over the update mechanism, compromising systems of organizations with interests in East Asia.

Notepad++'s website ran on a shared hosting server, which attackers specifically targeted. They exploited a vulnerability to redirect traffic from certain users to a malicious server under their control. When victims requested updates, they received tainted versions laced with malware, granting hackers hands-on keyboard access to infected machines.

The attack's selective natureimpacting only a small number of organizationspoints to state-sponsored espionage. Ho noted this aligns with tactics used by advanced persistent threats (APTs) linked to China. The exact entry point into the servers is still under investigation, but the redirection bug was patched in November 2025, with full hacker access severed by early December.

• Target:** Notepad++ web domain and update servers.
• Method:** Traffic redirection via exploited bug on shared hosting.
• Payload:** Malicious updates enabling remote access.
• Duration:** Approximately six months (June-December 2025).
• Victims:** Limited to entities with East Asia focus, avoiding broad exposure.

This precision mirrors nation-state operations, where widespread chaos is avoided to maintain stealth.

The Notepad++ incident echoes the infamous SolarWinds supply chain attack of 2019-2020. In that case, Russian hackers inserted a backdoor into SolarWinds' Orion software updates, compromising thousands of organizations, including U.S. government agencies. Victims unknowingly installed the malware while performing routine updates, granting spies network access.

Supply chain attacks have surged in recent years, exploiting trust in legitimate software. Tools like Notepad++, with millions of downloads, are prime targets due to their ubiquity in development environments. Developers often auto-update such utilities, amplifying risks.

While the breach was contained, it underscores vulnerabilities in open-source software distribution. Affected users faced potential data exfiltration or further compromise, especially those in sensitive sectors. Ho emphasized the attack's sophistication, likely aimed at intelligence gathering rather than destruction.

The developer community now faces heightened scrutiny on update integrity. Recommendations include verifying checksums, using signed updates, and isolating development tools. Notepad++ has since migrated from shared hosting to bolster security.

This event highlights critical gaps:

• Shared hosting exposes domains to lateral movement risks.
• Update mechanisms must enforce certificate pinning and domain validation.
• Organizations should segment developer tools from production environments.

As state actors increasingly target software supply chains, tools like Notepad++essential for coding, log analysis, and scriptingdemand robust protections. Users are advised to update to the latest version and scan systems with antivirus software.

The revelation serves as a wake-up call, pushing the industry toward zero-trust architectures even for trusted open-source projects.