The developer of the favored open supply textual content editor Notepad++ has confirmed that hackers hijacked the software program to ship malicious updates to customers over the course of a number of months in 2025.
In a weblog put up printed Monday, Notepad++ developer Don Ho mentioned that the cyberattack was doubtless carried out by hackers related to the Chinese language authorities between June and December 2025, citing a number of analyses by security consultants who examined the malware payloads and assault patterns. Ho mentioned this “would clarify the extremely selective focusing on” seen in the course of the marketing campaign.
Ho didn’t say what number of customers had been focused or what number of had been compromised — if recognized — and didn’t reply to questions by the point of publication. (If we hear again, we are going to replace.)
Notepad++ is without doubt one of the longest-running open supply tasks, spanning greater than twenty years, and it counts at the least tens of hundreds of thousands of downloads so far, together with by staff at organizations all over the world.
In accordance with Kevin Beaumont, a security researcher who first found the cyberattack and wrote up his findings in December, the hackers compromised a small variety of organizations “with pursuits in East Asia” after somebody unwittingly used a tainted model of the favored software program. Beaumont mentioned that the hackers had been in a position to acquire “hands-on” entry to the computer systems of victims who had been working hijacked variations of Notepad++.
Ho mentioned that the “precise technical mechanism” of how the hackers broke into his servers stays underneath investigation, however offered some particulars as to how the assault went down.
Within the weblog, Ho mentioned that Notepad++’s web site was hosted on a shared internet hosting server. The attackers “particularly focused” Notepad++’s net area with the aim of exploiting a bug within the software program to redirect some customers to a malicious server run by the hackers. This allowed the hackers to ship malicious updates to sure customers who had requested a software program replace, till the bug was mounted in November and the hackers’ entry was terminated in early December.
“We do have logs indicating that the dangerous actor tried to re-exploit one of many mounted vulnerabilities; nevertheless, the try didn’t succeed after the repair was carried out,” wrote Ho.
Ho apologized for the incident, and urged customers to obtain the latest model of his software program, which accommodates a repair for the bug.
The cyberattack focusing on Notepad++ customers is considerably paying homage to the 2019-2020 cyberattack affecting clients of SolarWinds, a software program firm that makes IT and community administration instruments for big Fortune 500 organizations, together with authorities departments. Russian authorities hackers broke into the corporate’s servers and secretly planted a backdoor in its software program, permitting the Russian spies to entry information on these clients’ networks as soon as the replace had rolled out.
The SolarWinds breach affected a number of authorities companies, together with Homeland Safety and the Departments of Commerce, Power, Justice, and State.
Up to date with a response from Ho.
