Notepad++ supply chain attack

If you've used Notepad++ in the past year - and if you work in IT, you almost certainly have - this one hits close to home. The beloved open-source text editor just confirmed that Chinese state-sponsored hackers hijacked its auto-update mechanism for six months, selectively pushing malware to targeted users.

What Actually Happened

The attack, which ran from June to December 2025, wasn't a typical software compromise. Rather than hacking Notepad++'s code or tricking developers into including malicious packages, the attackers went after the hosting infrastructure itself.

Here's the chain of events:

1. June 2025: Attackers compromise a shared hosting server used by Notepad++
2. June-September: Malicious actors intercept update traffic, redirecting specific users to attacker-controlled servers
3. 2nd September: A routine kernel and firmware update briefly kicks the attackers out
4. September-December: Attackers regain access using previously stolen credentials that were never rotated
5. 2nd December: The hosting provider finally detects and terminates the breach
6. December 2025: Security researcher Kevin Beaumont publicly reveals he knows of three organisations compromised via Notepad++ processes

The critical detail: this was selective targeting. The attackers carefully chose which users received poisoned updates, routing only certain traffic to their malicious servers. If you weren't on their list, you got the legitimate update.

Who's Behind It

Multiple independent security researchers have attributed the attack to Lotus Blossom (also tracked as Raspberry Typhoon, Bilbug, Spring Dragon, and Violet Typhoon/APT31) - a Chinese state-sponsored espionage group active since 2009.

Rapid7's investigation found the campaign targeted:

• Government organisations
• Telecommunications companies
• Aviation sector
• Critical infrastructure
• Media organisations

The targets predominantly had interests in East Asia, aligning with Lotus Blossom's historical focus on Southeast Asian espionage.

The Malware: "Chrysalis"

This wasn't just a redirect to a dodgy executable. Rapid7 researchers uncovered a previously undocumented custom backdoor they've named "Chrysalis" - and it's genuinely sophisticated.

The infection chain:

1. User's Notepad++ requests an update via GUP.exe (WinGUp updater)
2. Traffic redirects to attacker infrastructure at 95.179.213.0
3. User downloads "update.exe" - actually an NSIS installer package
4. The installer drops three files into %AppData%\Bluetooth
5. A legitimate Bitdefender executable loads a malicious DLL (sideloading)
6. The DLL decrypts and executes the Chrysalis backdoor

The backdoor features:

• Custom API hashing to evade detection
• RC4-encrypted configuration containing C2 details
• Layered obfuscation throughout
• C2 communications disguised to look like DeepSeek API chat traffic

Why This Matters for IT Leaders

Notepad++ isn't niche software. It has tens of millions of users worldwide and has been around for over two decades. It's the Swiss Army knife of text editors - used by developers, sysadmins, security researchers, and anyone dealing with code or config files.

This attack mirrors the SolarWinds breach of 2019-2020, where Russian intelligence services compromised software updates to access multiple US government agencies. Same playbook: compromise the trusted update mechanism, deliver malware to high-value targets.

The implications:

1. Supply chain attacks are increasing - if you can't hack the target directly, hack something they trust
2. Shared hosting is a risk - attackers didn't need Notepad++'s code, just the hosting provider
3. Credential rotation matters - attackers survived a server update because old credentials weren't changed
4. Update verification is critical - older Notepad++ versions didn't properly verify update authenticity

What Notepad++ Has Done

Developer Don Ho has taken several steps:

• Migrated to a new hosting provider with stronger security practices
• Rotated all credentials that could have been compromised
• Version 8.8.9 now verifies installer certificates and signatures
• Update XML is cryptographically signed
• Version 8.9.2 (expected March 2026) will enforce mandatory certificate signature verification

Immediate Actions for Your Organisation

1. Update Notepad++ Immediately

Download version 8.9.1 or later from GitHub. Check your current version via Help → About - anything before 8.8.9 is potentially vulnerable.

2. Hunt for Compromise Indicators

Watch for:

• Unexpected files in %AppData%\Bluetooth
• Processes named "BluetoothService.exe" that aren't legitimate Bluetooth services
• Network connections to unusual domains from Notepad++ processes
• Execution of "update.exe" following Notepad++ or GUP.exe activity

3. Review Your Software Supply Chain

Ask yourself:

• What tools on your network auto-update?
• Do they verify signatures?
• Are you monitoring update traffic?

4. Consider Policy Changes

• Application whitelisting for critical systems
• Network segmentation to limit blast radius
• EDR solutions that monitor for DLL sideloading
• Regular audits of third-party software behaviour

The Bigger Picture

This incident is a reminder that our tools can become weapons against us. The most paranoid among us disable auto-updates precisely because of scenarios like this - but that creates its own security problems with unpatched software.

The real solution is verified, signed updates with proper certificate checking. Notepad++ is implementing this now, but it took a six-month breach to get there.

For IT leaders, this reinforces the case for:

• Zero-trust architecture
• Comprehensive endpoint detection and response (EDR)
• Network traffic analysis
• Regular security audits of third-party software

The attackers played a long game - compromising infrastructure, waiting patiently, targeting selectively. That level of patience and precision is the hallmark of state-sponsored operations.

Update your Notepad++. Audit what else auto-updates without proper verification. And treat every piece of software as a potential attack vector.

Supply chain attacks are just one facet of a growing threat landscape. For more on related topics, read about slopsquatting and AI supply chain attacks, browser extension security risks, and non-human identity security.

---

Sources

• BleepingComputer: Notepad++ update feature hijacked by Chinese state hackers
• Rapid7: The Chrysalis Backdoor Analysis
• TechCrunch Report
• Notepad++ GitHub Releases