Popular open-source coding application targeted in Chinese-linked supply-chain attack

By AJ Vicens Feb 2 (Reuters) – A Chinese-linked cyberespionage group with a long history hijacked the update process for the popular code editing platform Notepad++ to deliver a custom backdoor and other malware to targeted users, the program's developer and cybersecurity researchers said on Monday. Don Ho, the French-based developer of Notepad++, said in a blog posted to the project's website on Monday that malicious actors had targeted the update process for certain targeted users beginning in June 2025. The hackers had access to the hosting server used for Notepad++ updates until September 2, 2025, but maintained credentials to some hosting services until December 2, 2025, according to Ho. It was not clear which Notepad++ users were targeted, or how many. Ho said in an email that he did not have visibility into how many malicious updates were downloaded. "What I do know from the investigation is that the attack was highly selective – not all users during the compromise window received malicious updates, indicating deliberate targeting rather than widespread distribution," Ho said. A spokesperson for the Cybersecurity and Infrastructure Security Agency said the agency "is aware of the reported compromise and is investigating possible exposure across the United States Government (USG)." Ho's blog included a message from his hosting provider concluding that the server used to deliver updates to customers "could have been compromised," and that the hackers specifically targeted the domain associated with Notepad++.  Internet registration records show that the domain was hosted by Lithuanian hosting provider Hostinger until January 21, a fact Ho confirmed in the email. A spokesperson for Hostinger told Reuters in an email that a "bad actor performed a supply chain attack, during which traffic to the URL of the update file was redirected." Hostinger is working with Notepad++ and sharing all incident-related information, and has also published a blog to the company's website sharing what it can, the spokesperson said.  Cybersecurity firm Rapid7 attributed the hacking campaign to a Chinese-linked cyberespionage group tracked as Lotus Blossom in a blog post posted on Monday. Active since 2009, the group has historically targeted government, telecom, aviation, critical infrastructure and media sectors across Southeast Asia and, more recently, Central America, according to Rapid7. A spokesperson for the Chinese Embassy in Washington said: "China opposes and fights all forms of hacking in accordance with the law. We do not encourage, support or connive at cyber attacks. We reject the relevant parties' irresponsible assertion that the Chinese government sponsored hacking activity when it had not presented any factual evidence." The hacking group used its access to deliver a custom backdoor that could give it interactive control of infected computers, which could then be used as a foothold to steal data and target other computers, according to the analysis.  Kevin Beaumont, a cybersecurity researcher, said in a December 2, 2025, blog post that he was aware of three organizations with interests in East Asia which had security incidents potentially tied to Notepad++. (Reporting by AJ Vicens in Detroit; Editing by Matthew Lewis and Edmund Klamann)

(The article has been published through a syndicated feed. Except for the headline, the content has been published verbatim. Liability lies with original publisher.)