Popular Open-Source Editor Notepad++ Targeted in Chinese-Linked Supply Chain Attack

A China-linked cyber espionage group compromised the update mechanism of widely used code editor Notepad++, delivering custom backdoors to select users, according to developers and cybersecurity researchers on February 2, 2026. The attackers, identified as the “Lotus Blossom” group by security firm Rapid7, gained access to Notepad++’s update server as early as June 2025 and retained credentials until December 2, 2025. Notepad++ creator Don Ho confirmed the breach was highly targeted—only specific users received malicious updates during the compromise window. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating potential exposure across federal systems. Hosting provider logs indicate the attackers specifically targeted Notepad++-related domains. Rapid7 attributes Lotus Blossom with a history of targeting government, telecom, and critical infrastructure sectors across Southeast Asia since 2009, with recent expansion into Central America.