Notepad++ Suffers Supply Chain Attack

- The attack was highly targeted, impacting only about a dozen machines belonging to individuals and organizations in Vietnam, El Salvador, the Philippines, and Australia. This selective approach made the campaign difficult to detect, as it wasn't a widespread mass-exploitation. - Security firm Rapid7 attributed the attack to Lotus Blossom (also known as Billbug), a suspected Chinese state-sponsored espionage group active since at least 2009. - Attackers did not exploit a flaw in the Notepad++ application code itself; instead, they compromised the shared hosting server running the official website. This allowed them to intercept update requests from older versions of the editor which had insufficient update verification controls. - Even after the hosting provider performed maintenance in September 2025 that terminated the attackers' direct server access, the attackers retained stolen credentials that allowed them to continue redirecting update traffic until December 2, 2025. - The attackers demonstrated adaptability by constantly rotating C2 server addresses, downloaders, and final payloads between July and October 2025, using at least three distinct infection chains. - The malicious payload was a feature-rich, custom backdoor that researchers named "Chrysalis." It was delivered via an NSIS installer that sideloaded a malicious DLL. - In response, Notepad++ version 8.8.9 was released, which introduced mandatory certificate and digital signature verification for the updater to prevent similar hijacks. The project also migrated to a new, more secure hosting provider. - This incident is thematically similar to other major supply chain attacks like those on SolarWinds and Kaseya, where trusted vendor updates were used to distribute malware. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced a software supply chain attack.