Chinese State Hackers Hijacked Notepad++ Updates for Six Months

For six months, Chinese state sponsored hackers controlled what updates reached certain Notepad++ users. The attackers intercepted update traffic, redirecting select users to malicious servers that delivered tampered software containing a previously undocumented backdoor.

The campaign, attributed to the advanced persistent threat group Lotus Blossom (also known as Raspberry Typhoon, Bilbug, or Spring Dragon), represents one of the most sophisticated software supply chain attacks targeting developers in recent years.

If you use Notepad++ and haven't updated recently, your system may be compromised.

How the Attack Worked

Rather than compromising Notepad++'s source code directly, the attackers targeted the infrastructure that delivers updates to users. After compromising the hosting provider in June 2025, they gained the ability to intercept and redirect update requests in what security researchers call an "on path" attack.

This approach is particularly insidious. The malicious traffic redirection happens after data leaves users' computers but before it reaches legitimate update servers. The attack leaves minimal forensic evidence on the victim's system, making detection extremely difficult.

The attackers exploited insufficient update verification controls in older Notepad++ versions, serving tampered update manifests that delivered malicious payloads instead of legitimate software updates.

Selective Targeting, Not Mass Distribution

Unlike typical malware campaigns that aim to infect as many systems as possible, this attack was surgically precise. The attackers selectively redirected update traffic only for specific users, suggesting they had particular targets in mind.

Security researchers at Rapid7 confirmed at least three organizations experienced hijacked updates followed by hands on network reconnaissance. The exact number of affected systems remains undisclosed, but the potential victim pool includes millions of Notepad++ users worldwide.

This selective approach mirrors the 2018 ShadowHammer campaign against ASUS, where malicious updates reached hundreds of thousands of systems but attackers only targeted specific victims based on their MAC addresses.

The Chrysalis Backdoor

The malicious updates deployed a custom backdoor that Rapid7 researchers named Chrysalis. This previously undocumented malware provided attackers with persistent access to compromised systems and the ability to conduct reconnaissance on victim networks.

While specific capabilities of Chrysalis remain partially classified to avoid aiding other threat actors, backdoors of this sophistication typically enable:

• Remote command execution
• File exfiltration
• Credential harvesting
• Lateral movement within networks
• Persistence mechanisms that survive reboots

The use of a custom, previously unknown backdoor indicates significant resources behind this campaign, consistent with state sponsored operations.

Timeline of the Attack

The compromise began in June 2025 when attackers gained access to Notepad++'s hosting provider. For the next six months, they maintained their position, selectively targeting users who requested software updates.

In September 2025, the attackers temporarily lost access during routine kernel and firmware updates by the hosting provider. However, they quickly regained their foothold using stolen credentials, demonstrating their determination to maintain the operation.

On December 2, 2025, the hosting provider finally detected and terminated the unauthorized access. By then, the campaign had run for approximately six months, making it one of the longest running software supply chain compromises discovered in recent years.

How to Protect Yourself

Notepad++ released version 8.8.9 in December 2025 with security fixes addressing the exploited vulnerabilities. Version 8.9.2 will mandate certificate signature verification for all updates, preventing similar attacks in the future.

If you use Notepad++, take these steps immediately:

1. Update to Notepad++ 8.8.9 or later immediately
2. Enable automatic updates to receive future security patches
3. Change any SSH, FTP/SFTP, and database credentials stored on your system
4. Review WordPress admin accounts if you develop or manage WordPress sites
5. Consider running a full system scan with reputable security software

The Broader Supply Chain Problem

This incident joins a growing list of software supply chain attacks targeting developer tools. In 2024 and 2025 alone, attackers have compromised browser extensions, IDE plugins, and npm packages, recognizing that developers represent high value targets with access to source code, credentials, and production systems.

The Notepad++ attack demonstrates that even standalone applications with legitimate update mechanisms can become vectors for compromise. The attack surface extends beyond the software itself to include hosting providers, content delivery networks, and any infrastructure involved in software distribution.

For developers, this means treating every software update with appropriate skepticism, maintaining offline backups of critical credentials, and monitoring for unusual system behavior even from trusted applications.

What Notepad++ Has Done

The Notepad++ development team has migrated to a new hosting provider with enhanced security controls. They have rotated all potentially compromised credentials and implemented additional verification mechanisms in the update process.

The upcoming version 8.9.2 will require certificate signature verification for all updates, adding a cryptographic layer of protection that would have prevented this attack. Users are strongly encouraged to update as soon as this version becomes available.

The incident serves as a reminder that software security extends far beyond code quality. The entire supply chain, from development to distribution, must be secured against sophisticated threat actors who are willing to invest months in compromising trusted software channels.