An account already exists for this email address, please log in.
Subscribe to our newsletter
The Notepad++ project yesterday disclosed that its update server was covertly hijacked in a targeted supply chain attack that began in June 2025, exposing a subset of users to malicious installers delivered through the editor’s built-in updater. According to Notepad++, attackers — which it claims were "likely a Chinese state-sponsored group" — gained the ability to selectively redirect update requests from specific users to attacker-controlled servers. Those victims were then served with a manipulated update manifest that pointed to a trojanized installer instead of the legitimate release.
Notepad++ says that this was “targeted”, with users “selectively redirected” to these attacker-controlled update manifests. As a result, users who manually downloaded installers from the official website were not affected, and most update requests continued to resolve normally. Instead, it appears as though the attackers intercepted traffic at the hosting layer used by the update service, enabling them to discriminate between targets in real-time.
According to Notepad++’s compromised and former shared hosting provider, the shared server hosting “getDownloadUrl.php” was compromised until September 2, at which point scheduled kernel and firmware updates removed the attackers’ direct access.
However, the provider said that the attackers retained credentials for internal services on the server until December 2, allowing them to continue redirecting some update traffic even after the initial compromise had been remediated. The hosting provider also said that the attackers specifically targeted the Notepad++ domain and showed no interest in other customers on the same server.
Backing up Notepad++'s claims, the attack has since been linked to a long-running Chinese espionage group, Lotus Blossom, by Rapid7. Active since 2009, the group has been linked to attacks on government, elecom, media, and aviation across Southeast Asia and Central America. “Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor,” Rapid7’s report says.
Notepad++ has since introduced stricter validation checks that verify both the digital signature and certificate of downloaded installers, preventing updates from proceeding if verification fails. Users who downloaded installers directly from its official website were not affected by the compromised redirect, while those who rely on the built-in updater can upgrade to the latest release to pick up the stricter verification flow for future updates.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
Who was 'selectively' targeted, have they shared the code used for this logic.
Would be nice to know if it was at least country specific, as I have updated n++ since aug last year!
How long have they known about this? Who was 'selectively targeted'?
They need to provide more information, because 7 months is a REALLY LONG TIME to potentially have had a trojan on your device without knowing that a service you used might have been hijacked, and if they say the hackers had access to the server until December 2nd, then that means it's been at least 2 months that they have known about this breach and decided to only now tell people.
Who was 'selectively' targeted, have they shared the code used for this logic.
Would be nice to know if it was at least country specific, as I have updated n++ since aug last year!
So far, it appears no individuals and organizations have been publicly named. Also, no IoC's according to their statement at Notepad++ *EDIT*however, Rapid7 provided details on artifacts, including IoC's, in their technical write-up of their investigation.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/That said, if the attribution of the threat actor is correct, we know what the targeted geographies and sectors are (even as this incident probably wouldn't run the full gamut of Lotus Blossum's target scope).
"Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors."
Specific to this Notepad++ incident, Kevin Beaumont, a well-known security researcher, also investigated the incident and said his victim(s) were in East Asia and were in financial services and telecom industries.
How long have they known about this? Who was 'selectively targeted'?
They need to provide more information, because 7 months is a REALLY LONG TIME to potentially have had a trojan on your device without knowing that a service you used might have been hijacked, and if they say the hackers had access to the server until December 2nd, then that means it's been at least 2 months that they have known about this breach and decided to only now tell people.
Read above for the "who".
It appears to me that Notepad++ learned about it on December 9, 2025 as reported to them by security researchers.
https://notepad-plus-plus.org/news/v889-released/
State-sponsored espionage attacks tend to have long dwell times, yes. It's no uncommon to find instances where these incidents went back over a year.
