A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the compromise of the infrastructure hosting Notepad++, enabling the delivery of a backdoor codenamed Chrysalis to users of the open-source editor. According to Rapid7, Chrysalis is a bespoke, feature-rich implant that gathers system information and contacts an external server to likely receive additional commands for execution on the infected host, with its C2 currently offline.
The attack coincided with a compromise at the hosting provider level that allowed threat actors to hijack update traffic from June 2025 and redirect certain users to malicious servers to serve a tampered update, an issue that was later mitigated by the release of version 8.8.9 in December 2025. The hosting provider breach persisted until December 2, 2025, when the attacker's access was terminated, and Notepad++ has since migrated to a new, more secure hosting provider and rotated all credentials.
Rapid7’s analysis notes the Chrysalis loader uses DLL side-loading techniques and includes components such as a renamed Bitdefender wizard, encrypted shellcode, and a module designed to fetch a Cobalt Strike beacon, highlighting the actor’s shift towards more resilient, multi-layered tradecraft.