A cyberespionage group linked to China exploited the software update mechanism of the widely used code editor Notepad++ to distribute a tailored backdoor and other malware to specific users, according to the application’s developer and cybersecurity researchers on Monday (Feb 2). Don Ho, the France-based creator of Notepad++, wrote on the project’s website that malicious actors began targeting the update system for a limited set of users in June 2025. He stated that the attackers had access to the update hosting server until Sept 2, 2025, and retained credentials for certain hosting services until Dec 2, 2025.

The exact number and identities of affected users remain unknown. Ho said he could not determine how many malicious updates were downloaded but emphasized that the operation was highly targeted, with only selected users receiving compromised updates rather than the entire user base. A representative from the Cybersecurity and Infrastructure Security Agency confirmed that the agency is aware of the incident and is examining whether any US government systems were exposed.

Ho’s blog included a statement from the hosting provider indicating that the update server may have been compromised and that the attackers specifically focused on the Notepad++ domain. Domain records show the service was hosted by a Lithuanian provider until Jan 21, which Ho confirmed. The hosting company did not respond to requests for comment.

Security firm Rapid7 linked the attack to a Chinese-affiliated hacking group known as Lotus Blossom. The group has been active since 2009 and has previously targeted sectors such as government, telecommunications, aviation, critical infrastructure, and media, primarily in Southeast Asia and more recently in Central America.

A spokesperson for the Chinese Embassy in Washington denied any involvement, stating that China opposes all forms of hacking and rejecting claims of state-sponsored cyberattacks without concrete evidence. According to researchers, the attackers used the compromised update process to install a custom backdoor, allowing remote control of infected systems. This access could be used to steal information and launch further attacks. Cybersecurity researcher Kevin Beaumont reported in December 2025 that at least three organizations with interests in East Asia experienced incidents potentially linked to the Notepad++ compromise.