The Notepad++ project yesterday disclosed that its update server was covertly hijacked in a targeted supply chain attack that began in June 2025, exposing a subset of users to malicious installers delivered through the editor’s built-in updater. According to Notepad++, attackers — which it claims were "likely a Chinese state-sponsored group" — gained the ability to selectively redirect update requests from specific users to attacker-controlled servers. Those victims were then served with a manipulated update manifest that pointed to a trojanized installer instead of the legitimate release.
Notepad++ says that this was “targeted”, with users “selectively redirected” to these attacker-controlled update manifests. As a result, users who manually downloaded installers from the official website were not affected, and most update requests continued to resolve normally. Instead, it appears as though the attackers intercepted traffic at the hosting layer used by the update service, enabling them to discriminate between targets in real-time.
According to Notepad++’s compromised and former shared hosting provider, the shared server hosting “getDownloadUrl.php” was compromised until September 2, at which point scheduled kernel and firmware updates removed the attackers’ direct access.
However, the provider said that the attackers retained credentials for internal services on the server until December 2, allowing them to continue redirecting some update traffic even after the initial compromise had been remediated. The hosting provider also said that the attackers specifically targeted the Notepad++ domain and showed no interest in other customers on the same server.
Backing up Notepad++'s claims, the attack has since been linked to a long-running Chinese espionage group, Lotus Blossom, by Rapid7. Active since 2009, the group has been linked to attacks on government, elecom, media, and aviation across Southeast Asia and Central America. “Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor,” Rapid7’s report says.
Notepad++ has since introduced stricter validation checks that verify both the digital signature and certificate of downloaded installers, preventing updates from proceeding if verification fails. Users who downloaded installers directly from its official website were not affected by the compromised redirect, while those who rely on the built-in updater can upgrade to the latest release to pick up the stricter verification flow for future updates.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
