The popular open-source text editor Notepad++ was targeted in a sophisticated supply chain attack that allowed Chinese state-sponsored hackers to deliver malware through compromised software updates, the project’s maintainer disclosed in a blog post.
The attack, which ran from June through December 2025, involved infrastructure-level compromise of Notepad++’s shared hosting provider that enabled threat actors to selectively intercept and redirect update traffic to servers under their control, Notepad++ author Don Ho said in the statement.
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” Ho wrote.
The incident highlights a critical blind spot in enterprise security. Attackers prize distribution points like update servers because one successful insertion delivers access to thousands of environments at once, according to a Forrester analysis also published Sunday.
The compromise is particularly concerning because Notepad++ is widely used by developers, analysts, and IT operators, yet “does not require an enterprise contract or license, and does not include usage tracking by default and therefore may not be tracked in an enterprise software inventory,” Forrester analysts Jeff Pollard, Allie Mellen, Jess Burn, Janet Worthington, and Tope Olufon wrote in their blog post.
How the attack unfolded
The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code, Ho said in the note. Attackers gained access to the shared hosting server and redirected traffic from the update endpoint to attacker-controlled servers.
“The bad actors specifically searched for the Notepad++ domain to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls,” the hosting provider said in a statement shared by Ho.
The name of the hosting provider, however, is not disclosed in the blog post. A detailed query seeking comments from Ho remains unanswered.
The server was initially compromised until September 2, 2025, when scheduled maintenance included kernel and firmware updates. However, attackers maintained stolen credentials to internal services until December 2, 2025, allowing continued traffic interception, according to the provider’s statement. The targeting was highly selective — traffic from certain users was redirected while most legitimate updates proceeded normally, Ho said.
Rapid7 identifies custom malware
Cybersecurity firm Rapid7 also published a detailed technical analysis corroborating Ho’s disclosure and identifying the attack as part of a broader campaign deploying previously undocumented malware. Rapid7’s investigation uncovered a custom backdoor the firm dubbed “Chrysalis,” alongside Cobalt Strike and Metasploit frameworks.
“Forensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure,” Rapid7 researcher Ivan Feigl wrote. The Chrysalis backdoor supports 16 distinct command capabilities ranging from interactive shell access to complete self-removal. One loader variant exploited Microsoft Warbird, an internal code protection framework, to execute shellcode while masquerading as a legitimate Microsoft-signed binary.
Rapid7 attributed the campaign to Lotus Blossom, also known as Billbug, a Chinese APT group active since 2009, known for espionage operations targeting government, telecommunications, and critical infrastructure sectors across Southeast Asia and Central America. The attribution is based on strong similarities to previously published Symantec research, particularly the use of a renamed Bitdefender executable to side-load malicious DLLs.
Why detection proved difficult
The sophisticated malware evaded detection for months largely because a compromised utility blends into normal developer behavior, making it challenging to identify. “Most EDR programs are blind by design to ‘expected’ developer behavior,” the Forrester analysts wrote. “A compromised utility does not need exploits, LOLBins, or exotic malware. It just needs to look boring—like something a dev would do.”
Ho noted that his incident response team was unable to extract concrete indicators of compromise despite analyzing roughly 400 GB of server logs. In an edit posted Sunday, Ho acknowledged Rapid7’s more detailed findings. “Last evening I received an email from Ivan Feigl (Rapid7) to share their excellent investigation story—it seems to be the same story, and obviously, they have more tangible information (including IoCs) than I do,” he wrote.
Rapid7 identified network infrastructure, including IP addresses in Malaysia and China, along with command and control URLs, including api.skycloudcenter.com and api.wiresguard.com.
Security enhancements and broader implications
In response, Notepad++ has migrated to a new hosting provider and enhanced WinGup (the updater component) in version 8.8.9 to verify both certificate and signature of downloaded installers, Ho said. Certificate and signature verification will be enforced starting with version 8.9.2, expected within approximately one month.
“I deeply apologize to all users affected by this hijacking,” Ho wrote. “I recommend downloading v8.9.1 and running the installer to update your Notepad++ manually.”
For enterprise security teams, the incident underscores the need for comprehensive software inventories that include widely used utilities, cryptographic verification of all updates, and what Forrester described as a “shift from implicit trust to continuous verification.” The Forrester analysts also warned that AI agents could amplify similar risks. “The same supply chain blind spots that let a compromised tool blend into developer noise will let a compromised agent establish persistence and elevate privileges at scale,” they wrote. Organizations that cannot strictly define what should execute and communicate are “structurally conceding this class of attack.”