Executive Summary
In June 2025, Chinese state-sponsored hackers compromised the update infrastructure of Notepad++, a widely used text editor, by infiltrating its hosting provider. This allowed them to intercept and selectively redirect update requests from targeted users to malicious servers, delivering tampered update manifests. The attackers exploited vulnerabilities in older versions of Notepad++'s WinGUp update tool, which lacked sufficient verification controls. The breach persisted until December 2, 2025, when the hosting provider detected the intrusion and terminated the attackers' access. (bleepingcomputer.com)This incident underscores the critical importance of securing software supply chains, as state-sponsored actors increasingly target update mechanisms to distribute malware. Organizations must implement robust verification processes and regularly audit their infrastructure to prevent similar attacks. (arstechnica.com)
Why This Matters Now
The Notepad++ supply chain attack highlights the growing trend of state-sponsored actors exploiting software update mechanisms to distribute malware. As these attacks become more sophisticated and targeted, organizations must prioritize securing their software supply chains and implementing robust verification processes to prevent similar incidents. (arstechnica.com)
Attack Path Analysis
The attackers compromised Notepad++'s shared hosting server, allowing them to intercept and redirect update requests from targeted users to malicious servers. They exploited insufficient update verification controls in older versions of Notepad++ to deliver tampered update manifests. By maintaining credentials to internal services, they continued redirecting update traffic even after losing direct server access. This enabled them to establish command and control channels with compromised systems. The attackers likely exfiltrated sensitive data from the targeted organizations. The impact included unauthorized access to systems, potential data breaches, and compromise of the software supply chain.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised Notepad++'s shared hosting server, allowing them to intercept and redirect update requests from targeted users to malicious servers.
Related CVEs
CVE-2025-49144
CVSS 7.3An installer vulnerability in Notepad++ versions prior to 8.8.9 allows attackers to plant malicious executables during installation, potentially leading to privilege escalation.
Affected Products:
Notepad++ Notepad++ – < 8.8.9
Exploit Status:
proof of conceptCVE-2025-56383
CVSS 8.4A DLL search-order hijacking vulnerability in Notepad++ versions prior to 8.8.9 allows attackers to execute arbitrary code by replacing plugin DLLs.
Affected Products:
Notepad++ Notepad++ – < 8.8.9
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Supply Chain
Application Layer Protocol: Web Protocols
Subvert Trust Controls: Code Signing
Valid Accounts
Ingress Tool Transfer
Command and Scripting Interpreter: Windows Command Shell
Indicator Removal: File Deletion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attack targeting Notepad++ update mechanisms exposed software development organizations to Chinese state-sponsored backdoors for six months.
Information Technology/IT
IT infrastructure compromised through malicious update hijacking, requiring immediate certificate verification upgrades and credential rotation across affected systems.
Government Administration
Chinese APT group Lotus Blossom's sophisticated Chrysalis backdoor specifically targeted government entities using compromised Notepad++ update infrastructure.
Financial Services
Supply chain compromise affecting text editor updates poses significant compliance risks under PCI DSS and regulatory frameworks for financial institutions.
Sources
- Notepad++ update feature hijacked by Chinese state hackers for monthshttps://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/Verified
- The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkithttps://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/Verified
- Notepad++ Supply Chain Attack: Update Hijack Analysis & Remediationhttps://orca.security/resources/blog/notepad-plus-plus-supply-chain-attack/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit the Notepad++ update mechanism, thereby reducing the blast radius of the compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to intercept and redirect update requests would likely have been constrained, reducing the scope of the initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by delivering tampered updates would likely have been constrained, reducing the scope of the escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely have been constrained, reducing the scope of the lateral movement.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely have been constrained, reducing the scope of the command and control.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely have been constrained, reducing the scope of the exfiltration.
The overall impact of unauthorized access and data breaches would likely have been constrained, reducing the blast radius of the compromise.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of system information and unauthorized access due to malware installation.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Enhance update verification processes by enforcing certificate and signature validation to prevent supply chain attacks.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating lateral movement.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Regularly rotate and manage credentials to prevent unauthorized access and maintain system integrity.
