Chinese state-sponsored threat actors were likely behind the hijacking of Notepad++ update traffic last year that lasted for almost half a year, the developer states in an official announcement today.
The attackers intercepted and selectively redirected update requests from certain users to malicious servers, serving tampered update manifests by exploiting a security gap in the Notepad++ update verification controls.
A statement from the hosting provider for the update feature explains that the logs indicate that the attacker compromised the server with the Notepad++ update application.
External security experts helping with the investigation found that the attack started in June 2025. According the developer, the breach had a narrow targeting scope and redirected only specific users to the attacker’s infrastructure.
“Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,” reads Notepad++’s announcement.
“The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++. “
In December, Notepad++ released version 8.8.9 to address a security weakness in its WinGUp update tool after multiple researchers reported that the updater would receive malicious packages instead of legitimate ones.
Security researcher Kevin Beaumont had warned that he knew of at least three organizations affected by these update hijacks, which were followed by hands-on reconnaissance activity on the network.
Notepad++ is a free and open-source editor for text and source code and a popular tool on Windows, with tens of millions of users across the world.
The developer now explains that the attack occurred in June 2025, when a hosting provider for the software was compromised, enabling the attackers to perform targeted traffic redirections.
In early September, the attacker temporarily lost access when the server kernel and firmware were updated. However, the threat actor was able to regain its foothold by using previously obtained internal service credentials that had not been changed.
This continued until December 2, 2025, when the hosting provider finally detected the breach and terminated the attacker’s access.
Notepad++ has since migrated all clients to a new hosting provider with stronger security, rotated all credentials that could have been stolen by the attackers, fixed exploited vulnerabilities, and thoroughly analyzed logs to confirm that the malicious activity stopped.
Following the investigation of the incident, the hosting provider rotated all secrets and issued a set of recommended actions for the Notepad++ developer to take on their part:
- Change credentials for SSH, FTP/SFTP, and MySQL
- Review WordPress admin accounts, reset passwords, and remove unnecessary users
- Update WordPress core, plugins, and themes, and enable automatic updates if applicable
Starting from Notepad++ version 8.8.9, WinGup verifies installer certificates and signatures, and the update XML is cryptographically signed.
The developer also stated that they plan to enforce mandatory certificate signature verification in version 8.9.2, which is expected to be released in about a month.
BleepingComputer has contacted Don Ho, the primary developer of Notepad++ developer for indicators of compromise (IoCs) or other information that could help users determine if they were impacted.
Don Ho told us that sifting through the server logs the incident response team identified signs of intrusion but no IoCs. “Our IR team and I also requested IOCs directly from the former hosting provider, but we were not successful in obtaining any,” the developer told us.
However, Rapid 7 researchers uncovered the campaign and attribute it to the Chinese APT group Lotus Blossom (a.k.a. Raspberry Typhoon, Bilbug, Spring Dragon) deploying “a previously undocumented custom backdoor” they named Chrysalis.
Based on the large number of capabilities, the researchers believe Chrysalis is a sophisticated tool with a permanent role on the victim system.
The researchers published a detailed technical analysis of the malware and note that they found no definitive artifacts to confirm exploitation of the updater-related mechanism.
“The only confirmed behavior is that execution of “notepad++.exe” and subsequently “GUP.exe” preceded the execution of a suspicious process ‘update.exe’,” Rapid 7 says.
Update [February 2nd, 12:02 EST]: Article updated with comment from Notepad++ developer Don Ho, which arrived after publishing, and details from Rapid 7’s investigation.
Update [February 3rd]: Article inaccurately presented the hosting provider’s recommendations for the Notepad++ developer as guidance intended for affected users
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.