Notepad++, one of open-source’s most well known text editors, has confirmed that attackers have taken control of its software updates. These suspects are suspected to be operatives of the Chinese government. This cyberattack, which occurred between June and December 2025, targeted users of the application, compromising the integrity of updates delivered to them. The attack has heightened fears about the security practices of the software tools that are part of our every day lives.
Developed by Don Ho, Notepad++ has been a staple for programmers and employees across various organizations for over two decades. With over 50 million downloads so far, SAC’s popularity can be attributed to its intuitive user interface and powerful capabilities. Yet this latest breach shows that vulnerabilities are possible even in the most thoroughly baked software.
The attack was later linked to a shared hosting server on which Notepad++’s website was hosted. Ho says the hosting provider told them that hackers had previously compromised the server, enabling hackers to backdoor software updates. This breach allowed attackers to deliver malicious updates to a subset of users who had made requests for perfectly valid software updates.
In December 2025, security researcher Kevin Beaumont first made public the details of the cyberattack. He found it as a side effect while tracing some suspicious activity around Notepad++. Instead, the project’s findings showed a deeply disturbing pattern of selective targeting. This discovery led to a second, deeper look at the updates that were being provided.
“This would explain the highly selective targeting,” – Don Ho
The breach continued for over four months, in which time several hundred thousand users were completely unaware as they received tainted updates. The purpose of the malicious software was to exploit as many vulnerabilities as possible on systems where it was installed. The implications of such an attack are dire. This poses a particular embarrassment given how Notepad++ is extensively utilized across professional environments internationally.
Following the breach, Ho and his team met with every department to fix what went wrong. The patch, released in early November 2025, corrected the vulnerabilities that had been used to compromise the system. As of early December 2025, we were able to formally end the hackers’ access. Now, this move just about killed their ability to bring us one last nefarious dispatch.
The effects of this attack are broader than just Notepad++. It should act as a reminder to consider the need for strong cybersecurity practices for all software providers and consumers. As more people and businesses depend on open-source tools to get through their day, securing those tools will be job one.