WASHINGTON — Open-source editor Notepad++ says a Chinese-linked espionage operation hijacked parts of its update process for roughly six months in 2025, selectively steering some users to attacker-controlled downloads instead of legitimate updates. The Cybersecurity and Infrastructure Security Agency said it is “aware of the reported compromise and is investigating possible exposure across the United States Government,” as researchers tied the activity to a group tracked as “Lotus Blossom,” Feb. 2, 2026.
Notepad++ developer Don Ho said the compromise began in June 2025 and lasted until Dec. 2, 2025, after attackers abused weaknesses at a shared hosting provider to redirect update traffic for a limited set of targets, according to Reuters reporting on the incident.
How the Notepad++ supply-chain breach worked
The attack did not rely on a newly discovered bug in Notepad++ itself. Instead, investigators say the adversary gained footholds in update-related infrastructure and used that access to serve a poisoned update path only to selected victims — a hallmark of espionage operations designed to avoid broad detection.
Rapid7 said its incident response work linked the campaign to Lotus Blossom and documented a custom backdoor it dubbed Chrysalis, which can provide interactive control of compromised machines and enable follow-on activity such as credential theft and lateral movement. The firm detailed the tooling and delivery chain in its technical write-up on the Chrysalis backdoor.
Notepad++ has also pointed users to mitigations in its updater, including stronger verification so tampered downloads are rejected. In a December 2025 release note, the project said it hardened update checks by verifying the installer’s signature and certificate during the update process in Notepad++ v8.8.9’s security-focused update.
Steps to secure Notepad++ installs now
For individuals, the lowest-friction move is to ensure your Notepad++ installation is current (at least v8.8.9) and to avoid downloading installers from search ads or third-party mirrors. For IT teams, the more important step is scoping exposure: identify endpoints where Notepad++ is installed, then hunt for unusual updater behavior (unexpected child processes, suspicious executables dropped to temp directories, or outbound connections that don’t match your normal update patterns).
Because the campaign appears targeted, organizations with sensitive regional interests — particularly those that could draw intelligence collection — should treat unexplained endpoint anomalies during the June-to-December 2025 window as worth a closer look. A separate account of user-focused precautions and indicators discussed by independent researchers is summarized in The Verge’s report on the Notepad++ server hijacking.
Why this Notepad++ incident fits a long-running playbook
Warnings about unusual Notepad++-linked activity surfaced before the full picture came into focus. In December 2025, security researcher Kevin Beaumont wrote that he had heard from three organizations where Notepad++ processes appeared connected to initial access and “hands on keyboard” activity, in his early notes on Notepad++ security woes.
More broadly, the episode echoes prior supply-chain compromises that weaponized trust in routine updates — from large-scale incidents like SolarWinds, outlined in the Canadian Cyber Centre’s SolarWinds supply-chain advisory, to highly selective campaigns such as the ASUS Live Update intrusion described in Kaspersky’s report on Operation ShadowHammer.
For Notepad++ users, the takeaway is blunt: even widely used open-source tools can become high-value entry points when attackers can manipulate the infrastructure that delivers updates. For defenders, CISA’s investigation suggests the incident will be treated as a serious supply-chain test case — especially where government or critical-infrastructure environments may have been exposed.
