Notepad++ Discloses Full Details of 2025 Supply Chain Attack by Chinese APT Lotus Blossom
Notepad++ published a full retrospective of a June–December 2025 supply chain compromise in which Chinese state-sponsored group Lotus Blossom hijacked the WinGUp update mechanism to deliver Cobalt Strike and a custom backdoor to selectively targeted users.
Notepad++ has published a detailed retrospective of a supply chain attack that compromised the text editor\'s hosting infrastructure from June through December 2025. The attack, attributed to Chinese state-sponsored threat group Lotus Blossom (also tracked as Zirconium or Violet Typhoon by other researchers), involved hijacking the WinGUp update mechanism to deliver malicious executables to a carefully selected subset of users.
How the Attack Worked
The compromise did not exploit a vulnerability in Notepad++\'s code itself. Instead, attackers gained infrastructure-level access to the project\'s hosting environment and exploited insufficient update verification controls in the WinGUp updater. The targeting was highly selective: traffic from specific users was silently redirected to malicious update servers while the vast majority of legitimate update requests were served normally, allowing the attack to evade detection for months.
Over a four-month period from July to October 2025, attackers continuously rotated command-and-control server addresses, the downloaders used for implant delivery, and the final payloads themselves, further complicating detection and attribution. Researchers from multiple security firms identified a custom backdoor dubbed Chrysalis alongside Cobalt Strike and Metasploit frameworks as the primary tools deployed to compromised targets.
Remediation and Current Status
Following discovery, the Notepad++ project migrated to a new hosting provider and made substantive changes to the WinGUp updater. Version 8.8.9 of Notepad++ introduced verification of both the certificate and the digital signature of downloaded installers before execution, closing the pathway that attackers exploited. Users who have not yet updated to 8.8.9 or later should do so immediately.
The incident is a reminder that even widely trusted open source tools with large user bases can be compromised at the infrastructure layer rather than at the code level, and that update mechanisms deserve the same rigorous security scrutiny as the software they deliver.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.