Liputan6.com, Jakarta - Notepad++ was reportedly hijacked by hackers suspected of being sponsored by the Chinese state and revealed on February 2, 2026.
Notepad++ developer Don Ho officially disclosed the breach on February 2, 2026, after the attack lasted from June to early December 2025.
Advertisement
Although investigations indicate the attack ended on November 10, the overall compromise period is estimated to have lasted until December 2, 2025, when all attacker access was definitively terminated.
Several independent security researchers assess that the threat actor is likely a Chinese state-sponsored group.
Chinese Advanced Persistent Threat (APT) groups such as Lotus Blossom (also known as Billbug, Thrip, and Raspberry Typhoon) and APT31 (aka Zirconium or Violet Typhoon) were identified as responsible.
How the Notepad++ Cyberattack Happened
The attack on Notepad++ began in June 2025 and persisted for several months, until all access to the software was finally terminated on December 2, 2025.
The official disclosure by Don Ho, the Notepad++ developer, on February 2, 2026, provided a full picture of the scale and duration of the incident saying that attack did not involve compromising the editor's source code itself, but rather the update delivery system.
The attackers were able to "intercept and redirect update traffic destined for notepad-plus-plus.org" to a malicious server they controlled.
The attack mechanism exploited a security flaw in the Notepad++ (WinGUP) updater prior to version 8.8.8, released in mid-November 2025 targeting Notepad++ domains with the aim of exploiting inadequate update verification controls.
Traffic from specific users was selectively redirected to a malicious update manifest controlled by the attacker.
The targeted organizations were telecommunications and financial services companies in East Asia, with the goal of spying on their activities and deploying various payloads, including a custom backdoor named "Chrysalis."
Alleged Involvement of Chinese State
Security researchers, including Kevin Beaumont and Rapid7, have linked this attack to a Chinese state-sponsored threat actor.
Groups such as Lotus Blossom (Billbug, Thrip, Raspberry Typhoon) and APT31 (Zirconium, Violet Typhoon) have been named as the masterminds behind these incidents.
APT31, for example, is widely known as a cyberespionage group operating on behalf of China's Ministry of State Security (MSS) and has conducted global intelligence gathering campaigns for over a decade.
These groups' primary motivation is to support China's strategic and national interests, including stealing intellectual property, monitoring foreign policy discussions, and gathering intelligence.
System Security Strengthening
In response to this incident, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices.
The update process has also been strengthened, with certificate and signature verification being enforced starting with the upcoming version 8.9.2.
The version 8.8.9 update, released on December 9, 2025, has been "hardened" to verify the signature and certificate of the installer downloaded during the update process.
Users are urged to immediately upgrade to the latest version as a precaution.
All remediation and security enhancements were completed by the hosting provider by December 2, 2025, successfully blocking further attacker activity.