February 3, 2026 12 min read Supply Chain Security

Notepad++ Hijacked by State-Sponsored Hackers: What Businesses Need to Know

For six months, Chinese state-sponsored hackers compromised Notepad++'s update infrastructure, delivering backdoors to targeted organizations. Here's what happened, who was affected, and how to protect your business from supply chain attacks.

In one of the most significant software supply chain attacks of 2025, the popular open-source text editor Notepad++ was compromised by a Chinese state-sponsored hacking group. The attack, which ran from June through December 2025, allowed threat actors to selectively deliver malware to high-value targets through the application's legitimate update mechanism [1].

This incident serves as a stark reminder that even trusted, widely-used software can become a vector for sophisticated cyberattacks. For businesses that rely on Notepad++ or similar development tools, understanding how this attack worked and implementing appropriate defenses is critical.

Immediate Action Required

If your organization uses Notepad++, ensure all installations are updated to version 8.9.1 or later. Earlier versions may have been compromised and lack the security fixes that prevent future attacks. Download updates only from the official website: notepad-plus-plus.org.

What Happened: The Attack Timeline

According to the official disclosure from the Notepad++ project and analysis from security firm Rapid7, the attack exploited the application's update infrastructure rather than vulnerabilities in the software itself [1][2].

Attack Timeline

June 2025 Attackers compromise Notepad++'s shared hosting provider, gaining ability to redirect update traffic
June - Dec 2025 Selective targeting of high-value victims through malicious update redirects
September 2, 2025 Hosting provider performs kernel/firmware updates, temporarily disrupting attacker access
December 2, 2025 Final attacker credential access terminated; investigation begins
December 2025 Version 8.8.9 released with certificate and signature verification fixes
January 2026 Version 8.9.1 released with mandatory verification; public disclosure

The hosting provider stated that "the server could have been compromised" and that "bad actors" maintained credentials allowing them to "redirect some of the traffic" [1]. This infrastructure-level compromise meant the attackers didn't need to modify Notepad++'s source code; they simply intercepted and redirected update requests from targeted users.

Who Was Behind It: Lotus Blossom APT

Security researchers at Rapid7 attributed the attack with medium confidence to Lotus Blossom, a Chinese state-sponsored Advanced Persistent Threat (APT) group also known as Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip [2][3].

Lotus Blossom has been active since at least 2009 and is known for targeted espionage campaigns primarily impacting organizations across:

  • Government agencies - particularly in Southeast Asia
  • Telecommunications providers
  • Aviation and aerospace
  • Critical infrastructure
  • Media organizations

The attribution is based on similarities with prior Lotus Blossom campaigns, including the use of legitimate executables from security vendors (Trend Micro and Bitdefender) to sideload malicious DLLs [2].

6 Months
Duration attackers maintained access to Notepad++ update infrastructure before detection [1]

How the Attack Worked: Technical Details

The Notepad++ supply chain attack demonstrates a sophisticated approach classified under MITRE ATT&CK T1195.002: Compromise Software Supply Chain [4]. Rather than compromising the software itself, attackers targeted the delivery mechanism.

The Attack Chain

  1. Infrastructure Compromise: Attackers gained access to Notepad++'s hosting provider and obtained credentials to redirect traffic
  2. Selective Targeting: Update requests from specific IP ranges or organizations were identified and redirected to attacker-controlled servers
  3. Malicious Payload Delivery: Targeted victims received a malicious "update.exe" instead of the legitimate updater
  4. NSIS Installer Execution: The fake update was an NSIS installer that dropped files into a hidden AppData folder
  5. DLL Sideloading: A renamed Bitdefender binary was abused to load a malicious DLL
  6. Backdoor Installation: The Chrysalis backdoor was decrypted and launched

The Chrysalis Backdoor

The attackers deployed a previously undocumented backdoor dubbed "Chrysalis" by Rapid7 researchers. This sophisticated implant supports 16 distinct command capabilities [2]:

  • Interactive shell access
  • Process creation and management
  • File operations (read, write, delete)
  • File upload and download
  • System enumeration
  • Self-removal capabilities

The malware also utilized advanced evasion techniques, including integration with Microsoft Warbird, an internal code protection framework, to execute shellcode while masquerading as a legitimate Microsoft-signed binary [2].

Why This Attack Was Hard to Detect

The attack exploited the trust relationship between Notepad++ and its users. Because the malware was delivered through the legitimate update mechanism, victims had no reason to suspect the update was malicious. The selective targeting also minimized exposure, making detection through widespread reports unlikely.

Supply Chain Attacks: A Growing Threat

The Notepad++ incident is part of a larger trend. According to industry research, software supply chain attacks more than doubled globally during 2025, with approximately 30% of all data breaches now linked to third-party or supply chain issues [5].

Notable supply chain attacks in recent years include:

  • SolarWinds (2020): Russian APT29 compromised the Orion platform, affecting 18,000+ organizations
  • 3CX (2023): North Korean hackers compromised the VoIP application in a "double supply chain" attack
  • npm "Shai-Hulud" (2025): Self-replicating worm compromised 500+ packages in the npm ecosystem [6]
  • IPany VPN (2025): PlushDaemon APT trojanized the South Korean VPN provider's official downloads [5]

These attacks are particularly concerning because they weaponize the trust organizations place in their software vendors. As NIST notes, supply chain risk management must address "insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware" throughout the entire system lifecycle [7].

Protecting Your Organization from Supply Chain Attacks

While no defense is perfect against sophisticated state-sponsored actors, organizations can significantly reduce their risk by implementing defense-in-depth strategies aligned with NIST and CISA guidance [7][8].

1. Implement Software Bill of Materials (SBOM)

CISA and international partners have issued joint guidance emphasizing the importance of Software Bill of Materials (SBOM) for supply chain transparency [8]. An SBOM provides a detailed inventory of all software components, making it easier to identify vulnerable or compromised elements.

2. Verify Software Integrity

Before installing or updating software:

  • Download only from official sources
  • Verify cryptographic signatures when available
  • Compare file hashes against published values
  • Monitor for unexpected certificates or signing changes

3. Network Segmentation and Monitoring

Limit the blast radius of potential compromises:

  • Segment development environments from production systems
  • Monitor outbound connections for unusual traffic patterns
  • Implement EDR or XDR solutions to detect post-compromise activity
  • Log and analyze software update traffic

4. Apply the Principle of Least Privilege

Even if an application is compromised, limit what attackers can access:

  • Run applications with minimal necessary permissions
  • Use application allowlisting where feasible
  • Restrict developer tool access to those who need it
  • Implement just-in-time privileged access

Supply Chain Security Checklist

  • Maintain an inventory of all software and versions in your environment
  • Subscribe to security advisories for critical software
  • Implement network monitoring for unusual update traffic
  • Test updates in isolated environments before wide deployment
  • Verify digital signatures on all downloaded software
  • Review vendor security practices before procurement
  • Develop incident response procedures for supply chain compromises
  • Consider managed detection and response (MDR) services

Compliance Implications

Supply chain security is increasingly addressed in regulatory frameworks:

NIST Cybersecurity Framework

NIST CSF 2.0 emphasizes supply chain risk management (C-SCRM) as a core component. Organizations pursuing higher maturity levels must demonstrate comprehensive supplier risk assessment and monitoring [7].

CMMC 2.0

Defense contractors must implement supply chain risk management practices, including controls for software integrity verification and vendor assessment.

Executive Order 14028

Federal agencies and their contractors must adhere to enhanced software supply chain security requirements, including SBOM generation and vulnerability disclosure [8].

Is Your Software Supply Chain Secure?

LocalEdgeIT helps Denver businesses assess and strengthen their defenses against supply chain attacks and sophisticated threats.

Get Your Free Security Assessment

Lessons Learned

The Notepad++ supply chain attack offers several important lessons for organizations:

  1. Trust but verify: Even legitimate, well-known software can be compromised. Implement verification controls regardless of the source.
  2. Shared infrastructure is a risk: Cloud and shared hosting environments create potential attack surfaces that may be outside your direct control.
  3. Selective targeting evades detection: Attacks that target specific victims may go unnoticed for extended periods. Don't rely solely on community reports.
  4. Update mechanisms are high-value targets: Automatic updates, while important for security, can also be weaponized. Consider controlled update rollouts for critical systems.
  5. Detection requires visibility: Without endpoint detection and network monitoring, identifying post-compromise activity is extremely difficult.

Key Takeaways

Summary for IT Leaders

  • Notepad++ was compromised for 6 months by Chinese APT Lotus Blossom
  • Attackers hijacked update infrastructure, not the software itself
  • High-value targets in government, telecom, and critical infrastructure were affected
  • Update to Notepad++ 8.9.1 or later immediately
  • Implement SBOM and software verification practices
  • Deploy EDR/XDR for detection of post-compromise activity
  • Supply chain attacks are increasing; assume all software is a potential risk

Next Steps

Supply chain attacks represent one of the most challenging threats facing organizations today. They exploit the trust we place in our software vendors and can bypass traditional security controls entirely.

At LocalEdgeIT, we help Denver businesses implement comprehensive security strategies that address modern threats like supply chain attacks. From endpoint protection to network monitoring and incident response planning, our team provides the expertise needed to defend against sophisticated adversaries.

Concerned about your supply chain security posture? Take our free IT Security Assessment to evaluate your current defenses, or contact us to discuss how we can help protect your organization.

Sources & Additional Resources

  1. Hijacked Incident Info & Update - Notepad++ Official, January 2026
    https://notepad-plus-plus.org/news/hijacked-incident-info-update/
    Official disclosure from the Notepad++ project.
  2. The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's Toolkit - Rapid7, February 2026
    https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    Technical analysis of the malware and attribution.
  3. Notepad++ infrastructure hijacked by Chinese APT in sophisticated supply chain attack - CSO Online, January 2026
    https://www.csoonline.com/article/4126269/notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack.html
    Industry coverage of the incident.
  4. Supply Chain Compromise: Compromise Software Supply Chain (T1195.002) - MITRE ATT&CK
    https://attack.mitre.org/techniques/T1195/002/
    Framework documentation for this attack technique.
  5. State Sponsored Hacking: How Nation-State APT Attacks Work in 2025 - DeepStrike, 2025
    https://deepstrike.io/blog/state-sponsored-hacking-apt-threats-2025
    Overview of current APT threat landscape.
  6. Widespread Supply Chain Compromise Impacting npm Ecosystem - CISA, September 2025
    https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
    CISA alert on related supply chain incident.
  7. Cybersecurity Supply Chain Risk Management (C-SCRM) - NIST
    https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management
    NIST guidance on supply chain risk management.
  8. Securing the Software Supply Chain: Recommended Practices Guide - CISA/NSA
    https://www.cisa.gov/resources-tools/resources/securing-software-supply-chain-recommended-practices-guide-customers-and
    Joint guidance on software supply chain security.
  9. NIST Special Publication 800-161 Rev. 1 - NIST, 2022
    https://csrc.nist.gov/pubs/sp/800/161/r1/final
    Comprehensive C-SCRM practices for systems and organizations.
  10. Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group - The Hacker News, February 2026
    https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
    News coverage with attribution details.

Related Articles

XDR vs EDR: Which Solution Is Right for You?

Compare endpoint detection solutions and learn which provides better protection against sophisticated attacks.

GenAI-Powered Phishing: The New Threat

How attackers use AI to create phishing pages that bypass traditional detection.

Ransomware Protection for Denver Businesses

Essential defenses against the #1 cyber threat facing small businesses.