The Notepad++ downside started with the invention that the IT infrastructure internet hosting Notepad++ had been compromised in June 2025, and a customized backdoor had been put in within the software. Within the highly-targeted assault, visitors from sure customers was selectively redirected to attacker-controlled servers by the malicious updates. Researchers at Rapid7 consider a China-based group dubbed Lotus Blossom was behind the assault.
The now former internet hosting supplier believes the shared internet hosting server was compromised from June to September of 2025. Nevertheless, even after dropping server entry, the attackers maintained credentials to inside providers till December 2, 2025, permitting the continued redirection of Notepad++ replace visitors. With the discharge of Notepad++ model 8.8.9, and the security hardening, all attacker entry was terminated. Model 8.9.1 had much more security enhancements, and this week’s model 8.9.2 instituted the double-lock course of.
Classes discovered
“Builders should plan for adversaries who’re affected person, refined, and selective,” Ho stated. Infrastructure is a part of your assault floor, he identified; even when your code is safe, a weak hyperlink in internet hosting, DNS, or a content material supply community (CDN) can undermine every little thing. “Steady monitoring and strict credential hygiene are important,” he stated, and software builders should assume that partial compromise is feasible and design functions and their supply and replace mechanisms for failure.
