In a significant supply chain attack, Chinese state-sponsored threat actors compromised the update mechanism of Notepad++, one of the world’s most popular text editors with tens of millions of users worldwide. The campaign persisted for nearly six months—from June 2025 until December 2025—demonstrating the attackers’ persistence and sophistication.
The Attack
The attackers infiltrated a hosting provider that served Notepad++’s update infrastructure, enabling them to intercept and selectively redirect update requests from specific users to malicious servers. Rather than conducting a broad attack, the threat actors demonstrated precise targeting, redirecting only select victims to receive tampered update manifests.
Security researcher Kevin Beaumont reported that at least three organizations were affected by these update hijacks, with attackers conducting hands-on reconnaissance activity following the initial compromise.
Attribution: Lotus Blossom APT
Rapid7 researchers attributed the campaign to Lotus Blossom (also known as Raspberry Typhoon, Bilbug, and Spring Dragon), a Chinese APT group with a history of sophisticated operations. The attackers deployed a previously undocumented custom backdoor that Rapid7 named Chrysalis.
According to the researchers, Chrysalis is a sophisticated tool with extensive capabilities designed for persistent access on victim systems. The backdoor’s complexity suggests it was purpose-built for long-term espionage operations.
Timeline of Events
- June 2025: Initial compromise of the hosting provider
- Early September 2025: Attackers briefly lost access when the server was updated
- Post-September 2025: Threat actors regained access using stolen credentials that hadn’t been rotated
- December 2, 2025: Breach finally detected and attacker access terminated
- December 2025: Notepad++ version 8.8.9 released with improved update security
Security Improvements
Following the incident, Notepad++ has implemented significant security improvements:
- Migrated to a new hosting provider with stronger security controls
- Rotated all potentially compromised credentials
- WinGUp now verifies installer certificates and signatures
- Update XML is now cryptographically signed
- Version 8.9.2 (expected within a month) will enforce mandatory certificate signature verification
Recommended Actions
Notepad++ users should take the following steps:
- Update to version 8.8.9 or later immediately
- Change credentials for SSH, FTP/SFTP, and MySQL
- Review WordPress admin accounts (if applicable) and reset passwords
- Enable automatic updates where possible
Implications
This attack highlights the growing sophistication of supply chain compromises. By targeting popular developer tools, threat actors can potentially access high-value targets within enterprise environments. The selective targeting observed in this campaign—rather than mass exploitation—indicates a focus on specific organizations of intelligence interest.
Organizations should implement defense-in-depth strategies that include verifying software updates, monitoring for unusual update behavior, and maintaining visibility into developer tool activity across their networks.
