The developer of the popular open source text editor Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users within a few months of 2025.

In a blog post published on Monday, Notepad++ developer Don Ho said the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing multiple analyzes by security experts examining malware payloads and attack patterns. Ho said this “will mean the most selective targeting” seen during the campaign.

Rapid7, that is the incident is being investigatedattributed the hacking to Lotus Blossom, a longtime spy group known to work for China, and said the hacks targeted the government, telecom, aviation, critical infrastructure, and media sectors.

Notepad++ is one of the longest running open source projects, spanning more than two decades, and it counts at least tens of millions of downloads to date, including by employees of organizations around the world.

According to Kevin Beaumont, a security researcher who first discovered the cyberattack and wrote up his findings in December, hackers compromised a small number of organizations “with interests in East Asia” after someone accidentally used a dirty version of the popular software. Beaumont said the hackers were able to gain “hands-on” access to victims’ computers running hijacked versions of Notepad++.

Ho said the “exact technical mechanism” of how the hackers infiltrated his servers remains under investigation, but gave few details on how the attack was carried out.

In the blog, Ho said that the Notepad++ website is hosted on a shared hosting server. The attackers “specifically targeted” the Notepad++ web domain with the intention of exploiting a bug in the software to redirect some users to a malicious server run by hackers. This allows hackers to deliver malicious updates to certain users who request a software update, up to November bug fixed and the hackers’ access was cut off in early December.

“We have logs indicating that the bad actor tried to re-exploit one of the specific vulnerabilities; however, the attempt failed after the fix was implemented,” Ho wrote.

In an email, Ho told TechCrunch that his hosting provider confirmed that his shared server had been compromised but the provider did not say how the hackers started.

Ho apologized for the incident, and urged users to download the latest version in his software, with a fix for the bug.

The cyberattack that targeted Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack that affected customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies company servers were hacked and secretly installed a backdoor in its software, allowing Russian spies to access data on customers’ networks once the update was rolled out.

The SolarWinds breach affected multiple government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.

Updated with a response from Ho and with more details from Rapid7.