Notepad++ Update Infrastructure Compromised in Targeted Supply Chain Attack
A recent investigation has linked a targeted supply chain compromise affecting Notepad++ to a China-aligned threat actor tracked as Lotus Blossom. The incident involved the abuse of the software’s update delivery path, allowing malicious payloads to be selectively served to specific users over an extended period.
Rather than exploiting a vulnerability in Notepad++ itself, attackers gained access at the hosting infrastructure level. This enabled them to redirect update requests from older versions of the editor to attacker-controlled servers and deliver a previously undocumented backdoor.
What Happened
Evidence indicates that the compromise allowed threat actors to interfere with update traffic starting in mid-2025. Users running older versions of Notepad++ with weaker update verification mechanisms were selectively targeted and redirected to malicious update endpoints.
The issue was remediated in December 2025 with the release of version 8.8.9, alongside a full migration to a new hosting provider and credential rotation. No indications suggest that the official plugin ecosystem or updater logic itself was directly exploited.
Malware Delivered Through Trusted Updates
Analysis of the malicious update artifacts revealed the deployment of a custom backdoor known as Chrysalis. The payload was delivered through a modified update process and executed using a combination of trusted binaries and DLL side-loading techniques.
Once active, the implant was capable of collecting system information, communicating with remote command infrastructure, executing commands, transferring files, and removing itself. The tradecraft combined bespoke malware development with established offensive tooling commonly seen in state-aligned operations.
Attribution and Tradecraft Evolution
Attribution to Lotus Blossom is based on overlaps in tooling, techniques, and execution patterns observed in previous campaigns linked to the group. These include the reuse of legitimate software components for DLL side-loading and the integration of publicly documented research into custom loaders.
The operation demonstrates a clear focus on stealth and persistence. Instead of mass distribution, the attack relied on selective delivery, rotating infrastructure, and frequent changes to infection chains to maintain long-term access while reducing detection risk.
Why This Matters
This incident underscores a persistent risk across the software ecosystem. Trust in update mechanisms remains a high-value target for advanced threat actors.
No user interaction beyond a routine update was required. No phishing email. No exploit. Only implicit trust in a legitimate software update path.
For organizations, this highlights that supply chain security extends beyond code integrity. Hosting providers, update distribution paths, and legacy verification mechanisms are equally critical components of the attack surface.
DIAMATIX Perspective
From a defensive standpoint, this case reinforces several important lessons.
Supply chain risk is not limited to large vendors or commercial platforms. Widely used open-source tools can become strategic entry points when trust assumptions are exploited.
Organizations should:
Maintain strict control over software update sources and verification mechanisms
Minimize reliance on legacy update paths and unsupported versions
Monitor outbound update traffic for anomalies and unexpected redirects
Treat developer tooling as part of the security perimeter, not an exception
Incorporate supply chain risk into threat modeling and incident readiness
Modern attacks increasingly focus on trust relationships rather than vulnerabilities. Defending against them requires visibility into how software is delivered, not just how it executes.
Trusted · Innovative · Vigilant
Sources
Rapid7. Technical analysis of the Notepad++ supply chain compromise
Public statements from the Notepad++ maintainer regarding hosting-level breach
Kaspersky research on multi-stage infection chains linked to the incident
Industry reporting on Lotus Blossom / Billbug threat activity
