Notepad++ Supply Chain Compromise: Chinese State Actors Hijack Infrastructure
EAST ASIA — A sophisticated, month-long supply chain attack targeting the popular open-source text editor Notepad++ has been attributed to a Chinese state-sponsored threat group. The campaign, which came to light in late 2025 and saw final technical disclosures on February 2, 2026, did not involve tampering with the software’s source code. Instead, hackers compromised the backend hosting provider, allowing them to selectively redirect update traffic to malicious servers.
According to a detailed technical analysis by Rapid7, the attack has been linked to the long-standing Chinese cyberespionage group Lotus Blossom (also known as Billbug or Raspberry Typhoon). The objective appears to have been high-value intelligence collection rather than a broad, mass-infection event.
Anatomy of the “On-Path” Hijacking
Unlike the infamous SolarWinds breach where code was poisoned at the source, this attack focused on the distribution infrastructure. By infiltrating the shared hosting provider for notepad-plus-plus.org, the threat actors gained control over how users received updates.
- The Compromise: The intrusion began in June 2025. Attackers exploited vulnerabilities at the hosting provider level to gain access to internal service credentials.
- Selective Redirection: The group was “highly selective,” targeting specific organizations primarily in East Asian telecommunications, finance, and government sectors. While millions use Notepad++, only a handful of chosen targets were served malicious update manifests.
- The Foothold: Direct server access was briefly interrupted on September 2, 2025, during a scheduled kernel and firmware update. However, the attackers retained stolen credentials, allowing them to continue redirecting traffic until their final eviction on December 2, 2025.
The Payload: Introducing “Chrysalis”
Users who were targeted received a previously undocumented custom backdoor dubbed Chrysalis. The malware deployment used several advanced techniques to evade detection:
- NSIS Installer Abuse: The malicious update arrived as a standard-looking installer (
update.exe). - DLL Side-Loading: The malware used a renamed version of the legitimate Bitdefender Submission Wizard to side-load a malicious library (
log.dll). - Advanced Obfuscation: The loader utilized Microsoft Warbird, an undocumented framework designed by Microsoft to protect DRM, making reverse-engineering extremely difficult.
- C2 Operations: Once active, Chrysalis allowed for full remote access, including file manipulation, interactive shells, and the deployment of secondary payloads like Cobalt Strike and Metasploit.
Incident Timeline
| Date | Event |
| June 2025 | Initial compromise of the hosting provider occurs. |
| Sept 2, 2025 | Scheduled maintenance severs direct server access; attackers maintain access via stolen credentials. |
| Dec 2, 2025 | Hosting provider terminates all unauthorized access; breach is discovered. |
| Dec 9, 2025 | Notepad++ v8.8.9 released, implementing certificate and signature verification. |
| Feb 2, 2026 | Developer Don Ho and Rapid7 release final investigative findings. |
Critical Actions for Users
Notepad++ maintainer Don Ho has issued a public apology and transitioned the project to a new, more secure hosting provider. Organizations are urged to take the following steps immediately:
This FAQ provides critical details on the Notepad++ supply chain attack as of February 3, 2026, based on the final forensic disclosures by Notepad++ and Rapid7.
Notepad++ Supply Chain Compromise: FAQ
1. Was the Notepad++ source code hacked?
No. The investigation confirmed that the source code of Notepad++ and its build pipeline remained secure. The attackers targeted the infrastructure (the hosting provider) to intercept and redirect update requests from users to a malicious server.
2. Who was behind the attack?
Security experts from Rapid7 have attributed the campaign with medium-to-high confidence to Lotus Blossom (also known as Billbug), a Chinese state-sponsored threat group active since 2009. Some researchers also noted overlaps with APT31 (Violet Typhoon).
3. Am I affected?
You are potentially at risk only if you meet all the following criteria:
- You used the built-in WinGUp auto-updater within Notepad++.
- You attempted to update between June 2025 and December 2, 2025.
- You were running a version older than v8.8.9.
- You were a specific target (the attack was “highly selective,” primarily targeting telecom, finance, and government sectors in East Asia).
4. What are the signs of infection (IOCs)?
The malicious update delivered a backdoor called Chrysalis. Look for these “red flags”:
- Unexpected Files: An
update.exeorAutoUpdater.exeappearing in your%TEMP%folder. - New Directory: A folder named
Bluetoothcreated in your%AppData%directory. - Suspicious Processes:
BluetoothServices.exe(a renamed Bitdefender tool used for side-loading) orGUP.exespawning an unknownupdate.exe. - Network Activity: Connections to the IP
95.179.213[.]0or the domainapi.skycloudcenter[.]com.
5. Is Notepad++ safe to use now?
Yes, provided you are on the latest version. * v8.8.9 (released Dec 2025) mitigated the hijacking by enforcing certificate and signature verification.
- v8.9.0 and later moved to GlobalSign certificates for better security.
- The project has migrated to a new, hardened hosting provider and rotated all internal credentials.
6. How do I clean my system?
If you suspect you were targeted, simply uninstalling Notepad++ will not remove the Chrysalis backdoor.
- Manual Cleanup: Delete the
%AppData%\Bluetoothfolder and its contents. - Scan: Run a full system scan using an up-to-date EDR or antivirus tool (Rapid7 and Microsoft have updated their definitions for Chrysalis).
- Nuclear Option: Because this was a state-sponsored espionage tool, many security professionals recommend a full OS reinstallation for high-value target systems.
7. Why was the attack so hard to find?
The attackers used a technique called “On-Path” hijacking. They didn’t need to break into your computer; they broke into the “road” your computer uses to get updates. Furthermore, the malware used Microsoft Warbird—a tool Microsoft designed to hide its own DRM code—to obfuscate its activities from researchers.