TL;DR: Chinese state-sponsored hackers compromised the hosting infrastructure behind Notepad++ and hijacked its software update mechanism from June to December 2025. Instead of attacking the code, they redirected update traffic for select targets to malicious servers, delivering a previously unknown backdoor called Chrysalis. Rapid7 attributed the campaign to Lotus Blossom (also known as Raspberry Typhoon and APT31). At least three organizations in telecom and financial services were confirmed compromised. Notepad++ released security patches in December 2025, but only disclosed the full scope on February 2, 2026.
Not the Code. The Pipe.
This wasn't a vulnerability in Notepad++ itself. The attackers never touched the source code. They went after something more valuable: the delivery system.
Starting in June 2025, a threat actor compromised the shared hosting server that powers Notepad++'s update infrastructure. From there, they intercepted update requests and selectively redirected certain users to attacker-controlled servers serving tampered update manifests [1][2].
Notepad++ developer Don Ho explained: "The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic" [3]. The problem wasn't a bug in the code. It was a gap in how the built-in updater, WinGUp, verified what it downloaded. Older versions lacked sufficient certificate and signature checks on incoming binaries. If someone could sit between you and the real update server, they could swap in whatever they wanted.
And that's exactly what happened.
A Six-Month Window Nobody Noticed
The timeline is ugly:
- June 2025: Attackers compromise the hosting provider's shared server
- September 2, 2025: Hosting provider performs kernel and firmware updates, briefly kicking the attackers out
- Immediately after: Attackers regain access using previously stolen internal service credentials that hadn't been rotated
- December 2, 2025: Hosting provider finally detects the breach and terminates attacker access
- December 2025: Notepad++ releases version 8.8.9 with update verification fixes
- February 2, 2026: Full public disclosure
Six months. The hosting provider kicked the hackers out once (accidentally, during routine maintenance) and didn't rotate credentials afterward. The attackers walked right back in using the same stolen passwords [2].
That's not a sophisticated zero-day exploit. That's a password reuse problem. At the infrastructure level.
Chrysalis: The Backdoor Nobody Knew About
Rapid7 researchers identified what the attackers were pushing: a previously undocumented custom backdoor named Chrysalis [2].
According to Rapid7's analysis, Chrysalis demonstrated a "large number of capabilities," functioning as "a sophisticated tool with a permanent role on the victim system." The backdoor was designed to establish persistent access: once it landed on a target machine through the poisoned update, it stayed there [2].
Security researcher Kevin Beaumont reported knowing of "at least three organizations affected by these update hijacks, which were followed by hands-on reconnaissance activity" [2]. The victims were telecommunications and financial services organizations in East Asia.
That's the key detail: this wasn't a spray-and-pray attack. The redirection was highly selective. Most Notepad++ users got legitimate updates. Only specific targets got routed to the malicious servers. That level of precision points to a threat actor who already knew who they wanted to hit.
Who Did This
Multiple independent security researchers assessed the threat actor as a Chinese state-sponsored group. Rapid7 specifically attributed the campaign to Lotus Blossom, a well-documented hacking group also tracked as Raspberry Typhoon, Bilbug, and Spring Dragon [2].
Beaumont separately identified the attackers as Violet Typhoon (APT31), another Chinese state-linked group known for targeting telecommunications and critical infrastructure [3].
The distinction may not matter much. Both groups operate under the umbrella of Chinese state-sponsored cyber operations, and both have long track records of going after telecom and financial targets. What matters is the method: compromising trusted software update channels to deliver targeted malware. It's the same playbook used in the SolarWinds attack, the CCleaner compromise, and dozens of other supply chain operations.
Why Notepad++ Matters
Notepad++ isn't some obscure tool. It's one of the most widely used text editors in the world, particularly popular among developers, system administrators, and IT professionals. The kind of people who have elevated privileges on corporate networks. The kind of people whose machines are stepping stones to everything else.
A backdoor on a developer's machine doesn't just give you access to their files. It gives you access to their code repositories, their deployment keys, their SSH credentials, their VPN connections. Compromising one developer workstation through a trusted software update can give an attacker a foothold into an entire organization's infrastructure.
That's the supply chain attack equation: compromise one trusted vendor, reach thousands of targets.
The Fix (and What's Still Coming)
Notepad++ has taken steps to close the hole:
- Version 8.8.9 (December 2025): WinGUp now verifies installer certificates and signatures. Update XML files are cryptographically signed [2].
- Version 8.9.2 (expected March 2026): Mandatory certificate signature verification enforcement: updates without valid signatures will be rejected outright [2].
The hosting provider also rotated all credentials, migrated to new infrastructure, and confirmed malicious activity has ceased [2].
But here's the problem: if you used Notepad++ between June and December 2025, and you accepted an update during that window, you may have received a compromised binary. The selective targeting means most users were fine. But "most" isn't "all," and there's no easy way to know whether you were one of the targets.
What You Should Do
- Update Notepad++ to version 8.8.9 or later immediately. This version includes the certificate verification fixes.
- Check your update logs. If you run Notepad++ in an enterprise environment, check whether any of your installations contacted unusual update servers between June and December 2025.
- Run an endpoint scan. Look for indicators of compromise related to the Chrysalis backdoor. Rapid7 has published IOCs in their analysis [2].
- Audit your software update mechanisms. This attack succeeded because the updater didn't verify what it downloaded. If other tools on your system have the same gap, you have the same risk.
The Pattern
Software supply chain attacks aren't going away. They're getting more targeted and more patient. SolarWinds ran for nine months. This one ran for six. The eScan antivirus compromise used the same playbook: hijacking an update mechanism to deliver malware through a channel users trusted.
The common thread: attackers don't need to find a vulnerability in software. They just need to find a weakness in how software gets to you. The code can be perfect. If the delivery pipe is compromised, none of that matters.
Notepad++ isn't the last popular tool that will get its update mechanism hijacked. It's just the latest one we know about.
References
- The Hacker News: Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users (February 2026)
- BleepingComputer: Notepad++ Update Feature Hijacked by Chinese State Hackers for Months (February 2026)
- TechCrunch: Notepad++ Says Chinese Government Hackers Hijacked Its Software Updates for Months (February 2, 2026)
- Security Affairs: Nation-State Hack Exploited Hosting Infrastructure to Hijack Notepad++ Updates (February 2026)
- Dark Reading: Chinese Hackers Hijack Notepad++ Updates for 6 Months (February 2026)
Published: February 6, 2026