The popular Notepad++ code editing software was compromised by a Chinese-linked cyberespionage group, which hijacked its software update system to deliver malware to select users, the program's developer and security researchers recently confirmed.

According to the developer, Don Ho, hackers gained access to the server used to deliver software updates from June 2025 until early September 2025. They maintained some credentials until December. The attack was selective, meaning not all users updating the software during that period received a malicious download.

Cybersecurity firm Rapid7 has attributed the hacking campaign to a Chinese-linked group it tracks as Lotus Blossom, which has been active since 2009, according to a report by Reuters on the matter. The group is believed to have delivered a custom backdoor through the hijacked updates, giving it control of infected computers.

As per the report, the hosting provider, Hostinger, stated that a "bad actor performed a supply chain attack, during which traffic to the URL of the update file was redirected." A US cybersecurity agency said it is investigating potential exposure across the US government.

A spokesperson for the Chinese Embassy in Washington rejected the allegations, stating China "opposes and fights all forms of hacking" and that no factual evidence had been presented, adds the Reuters report.

The developer said he does not know how many users were affected, but independent researchers have noted at least three organisations with interests in East Asia may have been targeted through this incident.