Cyber Incident Victim: Notepad++

The attack on Notepad++ unfolded between June and December 2025 when threat actors compromised the shared hosting provider that served the project’s update infrastructure. By gaining access to the hosting server, the attackers redirected update traffic from the Notepad++ domain to attacker‑controlled systems, allowing them to deliver malicious updates to a subset of users who requested a software upgrade. The hosting provider’s name was not disclosed in the maintainer’s blog post, but the provider noted that the server remained compromised until September 2 2025, when scheduled kernel and firmware maintenance occurred, while the attackers retained stolen credentials to internal services until December 2 2025, enabling continued interception of traffic. The intrusion was highly selective, with only certain users’ update requests being diverted while the majority of legitimate update traffic proceeded normally, a pattern that multiple independent security researchers assessed as indicative of a Chinese state‑sponsored group.

Rapid7’s technical analysis identified a custom backdoor dubbed “Chrysalis” that supported sixteen command capabilities, including interactive shell access and self‑removal, alongside the use of Cobalt Strike and Metasploit frameworks. One loader variant exploited Microsoft’s Warbird internal code protection framework to execute shellcode while masquerading as a legitimate Microsoft‑signed binary. Rapid7 attributed the campaign to the Lotus Blossom (also known as Billbug) Chinese APT group, citing similarities to prior Symantec research such as the renamed Bitdefender executable used to side‑load malicious DLLs. Network infrastructure linked to the operation included IP addresses located in Malaysia and China, and command‑and‑control URLs such as api.skycloudcenter.com and api.wiresguard.com. Detection proved difficult because the compromised utility blended with normal developer behavior, and the maintainer’s incident response team could not extract concrete indicators of compromise despite reviewing approximately four hundred gigabytes of server logs.

In response, Notepad++ migrated to a new hosting provider and strengthened its WinGup updater component in version 8.8.9 to verify both the certificate and signature of downloaded installers, with certificate and signature verification slated for enforcement beginning with version 8.9.2, expected within roughly one month. The maintainer issued a public apology for the hijacking and noted that the exact technical mechanism of the initial server breach remained under investigation, while also stating that a bug exploited in the attack had been patched in November and that the attackers’ access was terminated in early December, with logs showing a failed attempt to re‑exploit the fixed vulnerability afterward. Security researcher Kevin Beaumont reported that the compromise led to hands‑on access for attackers to the computers of victims who had inadvertently used a tainted version of Notepad++, affecting a small number of organizations with interests in East Asia. The incident was compared in broader discussion to the 2019‑2020 SolarWinds supply chain breach carried out by Russian government hackers.