How Chinese hackers used Notepad++ to spy on companies doing business in East Asia

Notepad++ users may have downloaded malware instead of a software update for half of 2025. Developer Don Ho confirmed on Monday that Chinese state-sponsored hackers had compromised the text editor's update servers between June and December.The attackers didn't hit everyone. They picked their targets carefully—organisations with business interests in East Asia. Security researcher Kevin Beaumont spoke with three victims who said hackers gained direct keyboard access to their machines through the tainted updates.Rapid7, the security firm that investigated the breach, pinned it on Lotus Blossom. That's a Chinese espionage group with a history of going after government agencies, telecom firms, and media outlets.The hackers didn't touch Notepad++ code. They went after the hosting provider instead.Older versions of Notepad++ had weak update verification. Attackers exploited this gap. When a targeted user clicked "update," their request got quietly rerouted to a malicious server. What came back wasn't Notepad++. It was Chrysalis—a backdoor Rapid7 called "feature-rich" and built for long-term access.Here's where it gets messy. The hosting provider patched the main server vulnerability in September. But the attackers still had login credentials to internal services. They kept redirecting traffic for another three months. The leak wasn't fully plugged until December 2.Ho has dumped his old hosting provider and moved to a new one. The Notepad++ updater now checks both certificate and signature before installing anything. Version 8.9.2 will make these checks mandatory.If you use Notepad++, grab version 8.9.1 directly from the official website. Don't trust whatever version is sitting on your machine. Enterprise admins might want to block gup.exe from reaching the internet altogether.The whole episode feels uncomfortably familiar. In 2020, Russian hackers pulled the same trick on SolarWinds—and ended up inside multiple US government agencies.