Chinese Hackers Compromise Notepad++ in Software Supply Chain Attack

A sophisticated supply chain attack compromised updates for the widely used text editor Notepad++ for six months, from June through December 2025. Chinese state-sponsored hackers hijacked the software’s update infrastructure, selectively redirecting users to malicious servers and delivering a custom backdoor dubbed “Chrysalis.” The incident highlights the growing risk of supply chain attacks targeting even seemingly innocuous software.

Developer Don Ho disclosed the compromise Monday, apologizing to users affected by the hijacking. The attack centered on intercepting and redirecting update traffic destined for notepad-plus-plus.org. While the initial compromise occurred in June, Notepad++ didn’t regain full control of its infrastructure until December. Attackers maintained access to internal services and the ability to redirect traffic for an extended period, even after the hosting provider addressed the initial breach.

Security firm Rapid7 linked the attack to a Chinese nation-state hacking group known as “Lotus Blossom.” Rapid7 described Chrysalis as a “custom, feature-rich backdoor,” indicating a sophisticated and persistent tool rather than a simple, disposable exploit. The attackers leveraged Microsoft’s proprietary Warbird code protection and obfuscation framework, demonstrating a high level of technical skill.

The attack wasn’t a mass exploitation attempt. According to security researcher Kevin Beaumont, the primary targets were telecom and financial services organizations in East Asia. This selective targeting suggests a focused espionage campaign rather than a broad effort to compromise as many systems as possible. Beaumont’s initial findings, shared on Mastodon in December 2025, were instrumental in bringing the issue to light.

The compromised infrastructure allowed attackers to install the Chrysalis malware on victim systems. Rapid7 has published indicators of compromise (IOCs), including file hashes and network activity, such as command-and-control communications with api.skycloudcenter.com and file downloads from api.wiresguard.com. However, Ho initially reported difficulty identifying concrete IOCs from server logs provided by the former hosting provider, stating that a week of analysis yielded no specific hashes, domains, or IP addresses.

Notepad++ responded to the incident by implementing stricter update verification controls. Beginning with version 8.8.7, binaries – including the installer – are digitally signed using a certificate from GlobalSign. Version 8.8.9, released on December 9, 2025, included updates to verify the software and updater’s signature and certificate, aborting the update process if verification failed. The release notes acknowledged reports of malicious servers redirecting update traffic.

The attackers gained initial access through a compromise of Notepad++’s hosting provider. They maintained access to the kernel and firmware of the tools until September 2, 2025, and retained credentials for internal services until December 2, 2025, enabling continued redirection of update traffic. This prolonged access underscores the importance of robust security measures at all levels of the software supply chain.

The incident serves as a “clear demonstration of how a single failure in the distribution process for a widely used utility can become an enterprise-scale software supply chain event,” according to market researcher Forrester. The widespread use of Notepad++ – while precise usage statistics are difficult to obtain, a 2015 Stack Overflow survey indicated that one-third of developers used the editor – amplifies the potential impact of the compromise. Forrester warns that as organizations increasingly rely on artificial intelligence tools and agents, the compromise of a tool like Notepad++ highlights the need to treat “every trusted utility is an autonomous execution surface” and secure it accordingly.

Security experts emphasize that this attack is not an isolated incident. Advanced persistent threat groups continue to target popular software as a means of gaining access to a wider range of organizations. As Florian Roth, head of research at Nextron Systems, noted, compromising a widely used tool can provide a gateway for compromising the code for even more software used by numerous organizations and individuals. The incident reinforces the need for organizations to prioritize software governance and security, even for seemingly simple utilities.

The Lotus Blossom group has been linked to cyber espionage operations targeting Southeast Asia and Central America, spanning government, telecommunications, critical infrastructure, aviation, and media sectors. This broader context suggests a sustained and multifaceted espionage campaign, with the Notepad++ compromise representing one component of a larger operation.