NOTEPAD ++ patched a vulnerability that attackers used to hijack its update mechanism and deliver malware to targeted users. In early February, the Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider’s infrastructure, redirecting update traffic to malicious servers; the attack did not exploit flaws in Notepad++ code but intercepted updates before they reached users, according to the advisory published by the software maintainers.
Rapid7’s MDR team traced a campaign tied to the China-linked APT Lotus Blossom, which involved a compromise of Notepad++ hosting infrastructure used to deploy a new custom backdoor, Chrysalis, alongside stealthy loaders that abused Microsoft Warbird to conceal code execution.
The incident began in June 2025 and ran until December 2, 2025, with attacks stopping around November 10, 2025 in one assessment and possible access continuing to December 2 in another, and was linked to targeted espionage against government and critical infrastructure sectors in Southeast Asia and Central America.
Notepad++ version 8.9.2 introduced a “double lock” update system to verify both the signed installer from GitHub and the signed XML from its update server to prevent abuse, and the release also strengthens the WinGUp auto-updater by removing libcurl[.]dll to block DLL side-loading and by addressing an Unsafe Search Path vulnerability tracked as CVE-2026-25926 (CVSS 7.3).