Notepad++ Users Unknowingly Downloaded Malware Through Compromised Updates
In a significant cybersecurity incident that spanned half of 2025, users of the popular text editor Notepad++ may have inadvertently downloaded malware instead of legitimate software updates. Developer Don Ho confirmed on Monday that Chinese state-sponsored hackers had successfully compromised the application's update servers between June and December of that year.
Targeted Attack on Specific Organizations
The attackers demonstrated sophisticated targeting capabilities by not affecting all users. Instead, they carefully selected organizations with business interests in East Asia for their malicious campaign. Security researcher Kevin Beaumont interviewed three confirmed victims who reported that hackers gained direct keyboard access to their machines through the tainted updates, enabling extensive surveillance and data theft capabilities.
Lotus Blossom Group Behind the Breach
Security firm Rapid7, which conducted the investigation into this breach, attributed the attack to Lotus Blossom. This Chinese espionage group has a well-documented history of targeting government agencies, telecommunications firms, and media outlets across multiple regions. Their involvement suggests this was part of a broader intelligence-gathering operation rather than random cybercrime.
How the Sophisticated Attack Unfolded
The hackers employed an indirect approach that bypassed Notepad++'s core code entirely. Rather than attempting to infiltrate the application itself, they targeted the hosting provider supporting the update infrastructure. Older versions of Notepad++ contained weak update verification mechanisms, which the attackers exploited to redirect update requests.
When targeted users clicked the "update" button within the application, their requests were quietly rerouted to malicious servers controlled by the hackers. Instead of receiving legitimate Notepad++ updates, these users downloaded Chrysalis—a sophisticated backdoor that Rapid7 described as "feature-rich" and specifically designed for maintaining long-term access to compromised systems.
Prolonged Access Despite Initial Fixes
The situation became particularly concerning due to the attackers' persistence. Although the hosting provider patched the main server vulnerability in September, the hackers retained access to login credentials for internal services. This allowed them to continue redirecting traffic for an additional three months, with the security leak not being fully resolved until December 2.
Protective Measures and Recommendations
Developer Don Ho has taken decisive action following the breach, completely abandoning the previous hosting provider and migrating to a new service. The Notepad++ updater now implements enhanced security protocols, checking both certificate validity and digital signatures before installing any updates. Version 8.9.2 will make these verification checks mandatory for all installations.
For current Notepad++ users, security experts recommend downloading version 8.9.1 directly from the official website rather than trusting any version currently installed on their machines. Enterprise administrators might consider additional protective measures, such as blocking gup.exe (the update executable) from accessing the internet entirely within corporate networks.
Echoes of Previous Major Cyber Incidents
This cybersecurity episode bears uncomfortable similarities to the 2020 SolarWinds attack, where Russian hackers employed comparable techniques to infiltrate update mechanisms and ultimately gained access to multiple U.S. government agencies. The recurrence of such sophisticated supply chain attacks highlights ongoing vulnerabilities in software distribution systems and the increasing sophistication of state-sponsored cyber operations targeting critical infrastructure and business interests.
