Executive Summary
Between June and December 2025, the Notepad++ text editor's update infrastructure was compromised by the Chinese state-sponsored hacking group Lotus Blossom. The attackers exploited vulnerabilities at the hosting provider level, redirecting update requests from targeted users to malicious servers. This allowed them to deliver a custom backdoor named Chrysalis, enabling unauthorized access to users' systems. The breach was addressed in December 2025 with the release of Notepad++ version 8.8.9, which enhanced update verification processes. (thehackernews.com)
This incident underscores the growing threat of supply chain attacks, where trusted software updates are manipulated to distribute malware. Organizations must prioritize securing their software supply chains and implement robust verification mechanisms to prevent similar breaches.
Why This Matters Now
The Notepad++ breach highlights the increasing sophistication of supply chain attacks by state-sponsored actors, emphasizing the urgent need for enhanced security measures in software distribution channels to protect against such threats.
Attack Path Analysis
The attackers initially compromised the shared hosting infrastructure of Notepad++, allowing them to intercept and redirect update requests from targeted users to malicious servers. They then exploited insufficient update verification controls in older versions of Notepad++ to deliver a tampered update containing a backdoor named Chrysalis. Utilizing DLL side-loading techniques, the attackers executed the Chrysalis backdoor, which established a command-and-control channel to receive further instructions. Through this channel, they could perform various actions, including gathering system information and executing commands. The attack concluded with the potential exfiltration of sensitive data and the establishment of persistent access on compromised systems.
Kill Chain Progression
Initial Compromise
Description
The attackers compromised the shared hosting infrastructure of Notepad++, enabling them to intercept and redirect update requests from targeted users to malicious servers.
Related CVEs
CVE-2025-15556
CVSS 7.7Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
Affected Products:
Notepad++ Notepad++ – < 8.8.9
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Web Protocols
DLL Side-Loading
PowerShell
Ingress Tool Transfer
Dynamic-link Library Injection
Windows Service
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting software distribution mechanisms like Notepad++ compromise critical development tools, enabling lateral movement and data exfiltration across software ecosystems.
Government Administration
State-sponsored Lotus Blossom group specifically targeted government organizations in Philippines through compromised software updates, exploiting trust relationships for intelligence gathering operations.
Financial Services
Financial organizations in El Salvador were directly targeted through malicious Notepad++ updates, creating risks for encrypted traffic interception and egress security violations.
Information Technology/IT
IT service providers in Vietnam faced targeted attacks through compromised development tools, enabling threat actors to pivot into client networks via trusted software relationships.
Sources
- Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Grouphttps://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.htmlVerified
- Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Usershttps://thehackernews.com/2026/02/notepad-official-update-mechanism.htmlVerified
- The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkithttps://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/Verified
- Notepad++ supply chain attack breakdownhttps://securelist.com/notepad-supply-chain-attack/118708/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to redirect update requests may have been constrained, reducing the likelihood of delivering malicious updates to users.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges through tampered updates could have been limited, reducing the risk of backdoor installation.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been constrained, limiting their ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command-and-control communications could have been limited, reducing their ability to manage compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been constrained, reducing the risk of data loss.
The attacker's ability to maintain persistent access and disrupt operations could have been limited, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Software Distribution
- Update Mechanism Integrity
Estimated downtime: 180 days
Estimated loss: N/A
Potential exposure of system information and unauthorized access to infected systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust update verification mechanisms to prevent exploitation of insufficient controls.
- • Enhance monitoring and logging to detect unauthorized access to hosting infrastructure.
- • Deploy intrusion detection systems to identify and block DLL side-loading attempts.
- • Establish strict egress filtering policies to control outbound traffic and prevent unauthorized data exfiltration.
- • Regularly review and update security policies to address evolving threats and vulnerabilities.
