Notepad++ on Monday shared additional details on the supply chain attack that came to light in December 2025, saying that a threat actor likely sponsored by the Chinese government targeted some customers through its hosting provider.
News of the incident broke after Notepad++ released updates designed to prevent the free source code editor’s updater from being hijacked.
Security researcher Kevin Beaumont reported in early December that a handful of organizations using Notepad++ had been targeted with malicious software updates.
The researcher said at the time that China-linked hackers had exploited Notepad++ to gain initial access to the systems of telecoms and financial services firms in East Asia.
Notepad++ creator and maintainer Don Ho has now made public the results of an investigation conducted in collaboration with external security experts and the shared hosting provider whose services had been used at the time of the attack.
“According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org,” Ho explained.
He added, “The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled server malicious update manifests.”
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” Ho noted.
Information collected during the hosting provider’s investigation revealed that the attackers specifically targeted Notepad++ to intercept its users’ traffic. The provider found no evidence that other customers on the shared server were targeted.
The attack appears to have started in June 2025 and the hosting firm determined that the server targeted by the hackers was compromised until September 2, when the system underwent scheduled maintenance and its kernel and firmware were updated.
Nevertheless, credentials obtained by the attackers before September allowed them to maintain access to the hosting provider’s internal services until December 2. During this time frame the threat actor was able to direct traffic going to Notepad++ update servers to its own servers to deliver malware.
Notepad++ has since migrated to a new hosting provider and implemented client-side changes to verify update integrity.
UPDATE: Rapid7 has published a technical analysis of the attack, attributing the operation to Lotus Blossom, a China-linked cyberespionage group that has been around for well over a decade. The custom malware delivered in the attack is named Chrysalis.
Related: eScan Antivirus Delivers Malware in Supply Chain Attack
Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack
Related: ‘PackageGate’ Flaws Open JavaScript Ecosystem to Supply Chain Attacks
