Notepad++ Supply Chain Attack Linked to Chinese State-Sponsored Hackers
In December 2025, Notepad++ disclosed further details about a supply chain attack targeting its users, revealing that a China-linked threat actor likely compromised its hosting provider to distribute malicious updates. The incident, first reported by security researcher Kevin Beaumont, involved hackers exploiting the software’s updater to gain access to systems within telecom and financial firms in East Asia.
An investigation led by Notepad++ creator Don Ho, alongside external security experts and the hosting provider, determined that the attack stemmed from an infrastructure-level breach. Rather than exploiting vulnerabilities in Notepad++’s code, the attackers intercepted and redirected update traffic by compromising the hosting provider’s systems. Select users were rerouted to attacker-controlled servers, which delivered malware-laced update manifests.
The attack began in June 2025, with the hosting provider’s server remaining compromised until September 2, when maintenance and firmware updates were applied. However, stolen credentials allowed the threat actor to retain access to internal services until December 2, enabling continued traffic redirection. The hosting provider confirmed that only Notepad++ customers were targeted, with no evidence of broader compromise.
Multiple security researchers attributed the campaign to a Chinese state-sponsored group, citing the highly selective targeting. Notepad++ has since migrated to a new hosting provider and implemented client-side measures to verify update integrity. The incident follows other recent supply chain attacks, including those affecting eScan Antivirus and EmEditor.
Source: https://www.securityweek.com/notepad-supply-chain-hack-conducted-by-china-via-hosting-provider/
Notepad++ cybersecurity rating report: https://www.rankiteo.com/company/notepad-plus-plus
CITIC Telecom International CPC Limited cybersecurity rating report: https://www.rankiteo.com/company/citic-telecom-international-cpc-limited
"id": "NOTCIT1770050926",
"linkid": "notepad-plus-plus, citic-telecom-international-cpc-limited",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Select users, including telecom '
'and financial firms in East '
'Asia',
'industry': 'Technology / Software Development',
'location': 'Global (primarily East Asia)',
'name': 'Notepad++',
'type': 'Software Vendor'}],
'attack_vector': 'Compromised hosting provider / Malicious update '
'distribution',
'customer_advisories': 'Users in telecom and financial sectors in East Asia '
'were selectively targeted. Recommended to check '
'systems for signs of compromise.',
'date_detected': '2025-09-02',
'date_publicly_disclosed': '2025-12',
'date_resolved': '2025-12-02',
'description': 'In December 2025, Notepad++ disclosed further details about a '
'supply chain attack targeting its users, revealing that a '
'China-linked threat actor likely compromised its hosting '
'provider to distribute malicious updates. The incident '
'involved hackers exploiting the software’s updater to gain '
'access to systems within telecom and financial firms in East '
'Asia. The attack stemmed from an infrastructure-level breach, '
'where attackers intercepted and redirected update traffic by '
'compromising the hosting provider’s systems.',
'impact': {'brand_reputation_impact': 'Yes',
'operational_impact': 'Malware distribution via compromised '
'updates',
'systems_affected': 'Notepad++ update systems, telecom and '
'financial firms in East Asia'},
'initial_access_broker': {'backdoors_established': 'Stolen credentials '
'retained access until '
'December 2025',
'entry_point': 'Compromised hosting provider '
'infrastructure',
'high_value_targets': 'Telecom and financial firms '
'in East Asia',
'reconnaissance_period': 'June 2025 - September '
'2025'},
'investigation_status': 'Completed',
'lessons_learned': 'Supply chain attacks can originate from '
'infrastructure-level compromises, not just software '
'vulnerabilities. Client-side verification of updates is '
'critical for mitigating such risks.',
'motivation': 'Espionage / Targeted access to telecom and financial firms',
'post_incident_analysis': {'corrective_actions': 'Migrated to new hosting '
'provider, implemented '
'client-side update '
'integrity checks, rotated '
'credentials, and enhanced '
'monitoring of update '
'distribution',
'root_causes': 'Compromise of hosting provider’s '
'infrastructure, stolen '
'credentials, lack of client-side '
'update verification'},
'recommendations': 'Implement client-side update integrity checks, monitor '
'hosting provider security, rotate credentials regularly, '
'and conduct third-party security audits of infrastructure '
'providers.',
'references': [{'source': 'Kevin Beaumont (Security Researcher)'},
{'source': 'Notepad++ Creator Don Ho'}],
'response': {'communication_strategy': 'Public disclosure by Notepad++ '
'creator Don Ho and security '
'researchers',
'containment_measures': 'Migration to new hosting provider, '
'client-side update integrity '
'verification',
'incident_response_plan_activated': 'Yes',
'recovery_measures': 'Restored secure update distribution',
'remediation_measures': 'Firmware updates, credential rotation, '
'infrastructure cleanup',
'third_party_assistance': 'External security experts'},
'stakeholder_advisories': 'Notepad++ users advised to verify update integrity '
'and monitor for suspicious activity.',
'threat_actor': 'Chinese state-sponsored group',
'title': 'Notepad++ Supply Chain Attack Linked to Chinese State-Sponsored '
'Hackers',
'type': 'Supply Chain Attack'}