Notepad++ and security researchers say Chinese state-sponsored threat actors were likely behind the hijacking of its update traffic from June to December 2025
Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year …
BleepingComputer Bill Toulas
Related Coverage
- The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit Rapid7 · Ivan Feigl
- Notepad++ says Chinese government hackers hijacked its software updates for months TechCrunch · Zack Whittaker
- Notepad++ Hijacked by State-Sponsored Hackers Notepad++
- Notepad++ updates got hijacked for months and could have spied for China The Verge · Stevie Bonifield
- The Notepad++ supply chain attack — unnoticed execution chains and new IoCs Securelist
- Notepad++ update service hijacked in targeted state-linked attack The Register · Richard Speed
- When A Hosting Provider Becomes A Hostile Provider: The Notepad++ Compromise Forrester · Jeff Pollard
- Notepad++ has allegedly been spying on “targeted users” after a malicious update got in XDA Developers · Simon Batt
- At the end of 2025 I moved from the Rapid7 MDR to its Labs team and got the best welcome gift I could ask for, the chance to take part … Ivan Feigl
- Rapid7 Labs and the #MDR team uncovered a stealthy intrusion chain linked to Lotus Blossom (Billbug), where Notepad++ infrastructure was abused … Christiaan Beek
- Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/ ... This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen. — The infrastructure and update mechanisms have since been tightened. … @GossiTheDog@cyberplace.social · Kevin Beaumont
- Notepad++ hijacked by state-sponsored actors Hacker News
- Notepad++ Hijacked by State-Sponsored Hackers Lobsters
- Notepad++ Compromised By State Actor Slashdot · Msmash
- Notepad++ update server hijacked in targeted attacks — outfit claims Chinese state-sponsored hackers may be to blame Tom's Hardware · Luke James
- Notepad++ compromised - here's what happened, and how to protect your PC Pureinfotech · Mauro Huculak
- Notepad++ backdoored for months by China-linked attackers The Stack · Noah Bovenizer
Discussion
-
@vxunderground
@vxunderground
on x
Chat, no big deal. It turns out Notepad++ was compromised at the infrastructure level and if you downloaded or updated Notepad++ after September, 2025 or before December, 2025, an unknown state-sponsored actor has compromised your machine. https://notepad-plus-plus.org/ ...
-
@uk_daniel_card
@uk_daniel_card
on x
interesting.... people use notepad++ because it has features they need/want. hanging enterprise environments isn't simple. people on the internet massively over simplify things....
-
@c2iris
@c2iris
on x
Interesting. A good reminder that you probably want to uninstall applications that you don't really need. Especially if they have the ability to auto update.
-
@officialwhyte22
Winston Ighodaro
on x
This is bad because the compromise didn't happen inside Notepad++ itself. The attackers went after the infrastructure that delivers updates, which means the trust model was broken, not the code. Users could do everything right and still be exposed. Once update traffic is
-
@pikuma
@pikuma
on x
Look, we all look the other way as the Chinese steals wood & minerals from Brazilian land and annihilates most fish species from the Chilean Pacific coastline... but Notepad++? This is where I draw the line! 😠
-
@apkramar
Alex Kramar
on x
“Never update any software ever” chads rack up another W.
-
@cyb3rops
Florian Roth
on x
For convenience: I wrote a small collector that pulls all SHA-256, SHA-1 and MD5 hashes from Notepad++ releases and compiles them into big CSV + JSON files Use it to check if any Notepad++ installs in your org match known-good release hashes - and spot weird/malicious outliers [i…
-
@johnhultquist
John Hultquist
on x
Notepad++ compromised in supply chain attack from June to December 2025 by “likely Chinese state-sponsored actor”. There has been a rash of supply chain incidents over the last couple of years as these guys try to leapfrog into hard targets. https://notepad-plus-plus.org/ ...
-
@cyb3rops
Florian Roth
on x
Yes, it's basically this #NotepadPlusPlusCompromise [image]
-
@blackroomsec
@blackroomsec
on x
Oh no. I'm a little confused as to which versions are affected so if anyone can find it, please let me know. I have to let 42,000 people know what to do. 🤦♀️ Thanks for the wake up call, Florian!!! 😜
-
@cyb3rops
Florian Roth
on x
This is bad. Putty level bad. https://notepad-plus-plus.org/ ... [image]
-
@gi7w0rm
@gi7w0rm
on x
Popular Text Editor Notepad++ was compromised by a nation state attacker presumably from June through December 2, 2025. The state actor used the access to reroute software update traffic to attacker controlled servers making this a supply chain attack. https://notepad-plus-plus.o…
-
@lcamtuf
@lcamtuf
on x
The dark side of auto-updates: https://notepad-plus-plus.org/ ... Don't get me wrong, they are *essential* for some software, but the pendulum might have swung too far, adding risk where little risk existed before.
-
@uk_daniel_card
@uk_daniel_card
on x
Notepad plus plus appears to have at some point been comrpmised: https://notepad-plus-plus.org/ ...
-
@uk_daniel_card
@uk_daniel_card
on x
‘The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.’ #NotepadPlusPlus #Notepad #Compromised […
-
@adelpreore
@adelpreore
on bluesky
Good thing we got rid of our cybersecurity agencies in this country. — I'm going to go out on a limb and say probably 90% of developers have this application installed. — techcrunch.com/2026/02/02/n...
-
@evacide
@evacide
on bluesky
Notepad++ publishes a blog post saying they caught a probably-Chinese state actor hijacking their product in an attack against highly-selective targets that began last June: notepad-plus-plus.org/news/hijacke...
-
@jsstaedtler@mastodon.art
Johann Sebastian Staedtler
on mastodon
RE: https://infosec.exchange/... In brief, the recommendation is to download the complete installer for Notepad++ version 8.9.1 and run it to replace whatever version you currently have installed. The built-in auto-updater will have new security enhancements to prevent any more…
-
r/worldnews
r
on reddit
Notepad++ says Chinese government hackers hijacked its software updates for months
-
r/homelab
r
on reddit
Check if you're using Notepad++ version 8.8.8, you might be running a compromised version.
-
r/technews
r
on reddit
Notepad++ update traffic feature hijacked by Chinese state-sponsored hackers in 2025 lasted for almost half a year, the developer states in an official announcement.
-
r/sysadmin
r
on reddit
Notepad++ Hijacked by State-Sponsored Hackers
-
r/cybersecurity
r
on reddit
First research with IOCs on the Notepad++ hack is now out
-
r/pcmasterrace
r
on reddit
Notepad++ Hijacked by State-Sponsored Hackers(likely a Chinese state-sponsored group)
-
r/theprimeagen
r
on reddit
Notepad++ hijacked by state-sponsored actors
-
r/Mogong
r
on reddit
Notepad++ 사용자 분들은 그만 사용해야할 수준의 사건입니다.
-
r/homeassistant
r
on reddit
Check if you're using Notepad++ version 8.8.8, you might be running a compromised version.
-
r/dcsworld
r
on reddit
Notepad++ Hijacked by State-Sponsored Hackers(likely a Chinese state-sponsored group)