Summary: Developer Don Ho has confirmed that Chinese state-sponsored group “Lotus Blossom” compromised the Notepad++ update servers for over six months in 2025. Targeted users in East Asia were rerouted to download “Chrysalis,” a feature-rich backdoor that grants hackers direct keyboard access. While the leak was plugged in December, the full scope of the compromise is only now being realized.
Business Impact: High Risk for Developers and IT Admins. Notepad++ is a ubiquitous tool. A compromised version allows attackers to bypass endpoint defenses and gain high-privilege access to local source code and configuration files. This is a classic “SolarWinds-style” supply chain vector.
Why It Happened: The attackers targeted the underlying infrastructure of the hosting provider rather than the code itself. Weak update verification in older versions allowed requests to be quietly rerouted to malicious servers.
Recommended Executive Action: Immediate: Mandate an update to version 8.9.2 across all workstations, which enforces strict certificate and signature checks. Instruct admins to block gup.exe (the updater) from internet access at the firewall level.
Hashtags: #NotepadPlusPlus #SupplyChainAttack #LotusBlossom #DevSecOps #Malware #Infosec