The Notepad++ problem began with the discovery that the IT infrastructure hosting Notepad++ had been compromised in June 2025, and a custom backdoor had been installed in the application. In the highly-targeted attack, traffic from certain users was selectively redirected to attacker-controlled servers by the malicious updates. Researchers at Rapid7 believe a China-based group dubbed Lotus Blossom was behind the attack.
The now former hosting provider believes the shared hosting server was compromised from June to September of 2025. However, even after losing server access, the attackers maintained credentials to internal services until December 2, 2025, allowing the continued redirection of Notepad++ update traffic. With the release of Notepad++ version 8.8.9, and the security hardening, all attacker access was terminated. Version 8.9.1 had even more security enhancements, and this week’s version 8.9.2 instituted the double-lock process.
Lessons learned
“Developers must plan for adversaries who are patient, sophisticated, and selective,” Ho said. Infrastructure is part of your attack surface, he pointed out; even if your code is secure, a weak link in hosting, DNS, or a content delivery network (CDN) can undermine everything. “Continuous monitoring and strict credential hygiene are essential,” he said, and application developers must assume that partial compromise is possible and design applications and their delivery and update mechanisms for failure.
