RAPID 7 researchers have linked a Notepad++ hosting breach to the China-nexus APT Lotus Blossom, describing the incident as an infrastructure compromise rather than a flaw in Notepad++ code. The attack began in June 2025, with attackers compromising a shared hosting server to intercept and redirect update traffic to attacker-controlled servers, prior to delivering a new backdoor and stealthy loaders.
According to the advisory published by the software maintainers, the compromise occurred at the hosting provider level and involved redirecting update manifests rather than exploiting Notepad++ itself. The operation culminated in a custom backdoor named Chrysalis, deployed alongside loaders abusing Microsoft Warbird, and included DLL sideloading through a renamed Bitdefender binary.
Rapid7’s investigation attributes the campaign to Lotus Blossom based on overlaps with prior research, including a renamed Bitdefender tool and shared code indicators. The breach persisted from June 2025 to December 2, 2025, with the hosting provider noting possible attacker access until that date and later stating there was no evidence of continued attacker activity.