A notepad-plus-plus supply chain breach saw a state-sponsored threat actor hijack the Notepad++ updates for about six months, from June to December 2025. The intrusion stemmed from an infrastructure-level compromise at Notepad++’s hosting provider, enabling attackers to intercept update traffic destined for notepad-plus-plus[.]org and redirect it to attacker-controlled servers delivering malicious payloads.
According to Dan Ho, the main maintainer of Notepad++, the compromise occurred at the hosting provider level rather than in the Notepad++ code itself, and targeted users were selectively redirected to malicious update manifests.
The attackers are described as a likely China-sponsored group that gained access to the third-party server hosting WinGUp, and they continued redirecting update traffic using valid credentials until at least 2 December 2025; the incident has been linked to APTs tracked as Violet Typhoon, APT31, and Zirconium. Rapid7 attributes the supply chain attack to Lotus Blossom, with a backdoor called Chrysalis deployed via the attack. The Notepad++ project has since moved to a new hosting provider and updated its WinGUp updater to include stricter verification and code-signing checks.