Notepad++ Update Mechanism Compromised by China-Linked Lotus Blossom Group
In a significant cybersecurity incident, the widely-used open-source text editor Notepad++ fell victim to a sophisticated supply chain attack orchestrated by the China-linked threat actor known as Lotus Blossom. This breach, which began in June 2025 and persisted until December 2025, involved the compromise of Notepad++’s hosting infrastructure, enabling attackers to deliver a previously undocumented backdoor named Chrysalis to targeted users.
The Breach Unveiled
The attack was first brought to light by Don Ho, the maintainer of Notepad++, who disclosed that state-sponsored actors had hijacked the software’s update mechanism. By compromising the hosting provider’s infrastructure, these malicious entities intercepted and redirected update traffic intended for notepad-plus-plus.org to servers under their control. This redirection led to the distribution of malicious updates to unsuspecting users. Notably, the breach did not exploit vulnerabilities within the Notepad++ code itself but rather targeted the external infrastructure supporting the software.
Technical Breakdown of the Attack
Security firm Rapid7 conducted an in-depth analysis of the incident, revealing that the attackers exploited insufficient update verification controls present in older versions of Notepad++. This vulnerability allowed them to hijack update traffic and selectively redirect requests from specific users to malicious servers. The primary payload delivered through this method was a backdoor dubbed Chrysalis, which granted the attackers unauthorized access to compromised systems.
Further investigations by cybersecurity company Kaspersky identified three distinct infection chains employed by the attackers between July and October 2025:
1. Late July to Early August 2025: Attackers deployed a malicious Notepad++ update hosted at 45.76.155[.]202/update/update.exe. This executable, an NSIS installer, collected system information and sent it to a remote server. It then utilized DLL side-loading techniques to execute shellcode that decrypted a Metasploit downloader, ultimately retrieving a Cobalt Strike beacon.
2. Mid to Late September 2025: The malicious update continued to be delivered via the same IP address. The NSIS installer was modified to gather additional system information and deliver new payloads, including a Lua script designed to execute shellcode. This shellcode acted as a Metasploit downloader, deploying a Cobalt Strike beacon.
3. October 2025: The distribution URL changed to 45.32.144[.]255/update/update.exe, initiating a similar sequence of events as the previous chains. The attackers also began using multiple URLs to propagate the installer, combining elements from the earlier infection chains.
These varied infection chains highlight the attackers’ adaptability and determination to maintain access to the compromised update mechanism. By frequently altering their methods, they aimed to evade detection and ensure the continued success of their campaign.
Targeted Victims and Global Impact
The attack was highly targeted, affecting approximately a dozen machines across various countries, including Vietnam, El Salvador, Australia, the Philippines, and Romania. The victims encompassed individuals, government organizations, financial institutions, and IT service providers. This selective targeting underscores the strategic nature of the attack, focusing on high-profile entities to maximize the impact of the breach.
Response and Mitigation Efforts
In response to the breach, the Notepad++ team took several corrective actions:
– Hosting Migration: The Notepad++ website was moved to a new hosting provider with enhanced security practices to prevent future compromises.
– Update Mechanism Hardening: Additional security measures were implemented to fortify the update process, ensuring the integrity and authenticity of future updates.
– Software Update: Version 8.8.9 of Notepad++ was released in December 2025, addressing the vulnerabilities exploited during the attack and enhancing the software’s security posture.
Broader Implications and Lessons Learned
This incident serves as a stark reminder of the growing threat posed by supply chain attacks, where malicious actors target the infrastructure and processes supporting widely-used software. Such attacks can have far-reaching consequences, compromising the security of numerous users and organizations.
To mitigate the risk of similar attacks, software developers and organizations should:
– Implement Robust Update Verification: Ensure that update mechanisms include stringent verification processes to confirm the authenticity and integrity of updates.
– Regular Security Audits: Conduct periodic reviews of hosting infrastructure and update processes to identify and address potential vulnerabilities.
– User Education: Inform users about the importance of downloading software updates from official sources and verifying the legitimacy of update prompts.
By adopting these practices, the software community can enhance its resilience against supply chain attacks and protect users from similar threats in the future.
