The Notepad++ downside started with the invention that the IT infrastructure internet hosting Notepad++ had been compromised in June 2025, and a customized backdoor had been put in within the software. Within the highly-targeted assault, visitors from sure customers was selectively redirected to attacker-controlled servers by the malicious updates. Researchers at Rapid7 consider a China-based group dubbed Lotus Blossom was behind the assault.
The now former internet hosting supplier believes the shared internet hosting server was compromised from June to September of 2025. Nevertheless, even after dropping server entry, the attackers maintained credentials to inside companies till December 2, 2025, permitting the continued redirection of Notepad++ replace visitors. With the discharge of Notepad++ model 8.8.9, and the safety hardening, all attacker entry was terminated. Model 8.9.1 had much more safety enhancements, and this week’s model 8.9.2 instituted the double-lock course of.
Classes realized
“Builders should plan for adversaries who’re affected person, refined, and selective,” Ho stated. Infrastructure is a part of your assault floor, he identified; even when your code is safe, a weak hyperlink in internet hosting, DNS, or a content material supply community (CDN) can undermine all the pieces. “Steady monitoring and strict credential hygiene are important,” he stated, and software builders should assume that partial compromise is feasible and design purposes and their supply and replace mechanisms for failure.
