Chinese government-linked hackers hijacked the update mechanism of Notepad++, one of the world's most popular open-source text editors, delivering malicious software to targeted users for six months. The supply chain attack, which ran from June through December 2025, represents a significant escalation in nation-state cyber operations targeting developer tools. With tens of millions of downloads globally, the breach raises urgent questions about open-source security and the vulnerability of critical development infrastructure.
A sophisticated supply chain attack has shaken the open-source community. Notepad++, the beloved text editor used by millions of developers worldwide, just confirmed that Chinese government hackers infiltrated its update mechanism and delivered tainted software to carefully selected targets for half a year.
Developer Don Ho broke the news Monday in a security advisory that detailed how attackers weaponized his two-decade-old project between June and December 2025. The admission comes after security researcher Kevin Beaumont first spotted the intrusion in December, observing suspicious activity affecting organizations with East Asian interests.
"The cyberattack was likely carried out by hackers associated with the Chinese government," Ho wrote, citing analysis from security experts. "This would explain the highly selective targeting" that characterized the campaign. The precision of the attack stands out - rather than carpet-bombing all users, the hackers carefully chose their victims, suggesting intelligence gathering rather than ransomware or crypto-mining motivations.
The technical execution reveals sophisticated tradecraft. Attackers didn't compromise Notepad++'s source code directly. Instead, they exploited a vulnerability in the shared hosting server where the project's website lived. By targeting Notepad++'s web domain specifically, they could redirect certain users requesting software updates to attacker-controlled servers. Those unlucky enough to hit the malicious endpoint received compromised versions of the software that gave hackers "hands-on" access to their machines.
