Notepad++ Supply Chain Attack Exposes Risks in Software Update Security

A recent cybersecurity incident using Notepad++ has highlighted severe concerns about software supply chain attacks and the potential misuse of trusted update systems. In December 2025, news appeared that some users of the popular free source code editor were targeted by malicious software upgrades, despite the fact that the main Notepad++ code was not compromised.

Notepad++ later acknowledged that the incident was not the result of a software flaw or weakness. Instead, the problem began at the hosting provider level, where attackers were able to interfere with how update traffic was delivered to specific users. This is characterized as a supply chain attack in which hackers target third-party infrastructure rather than the software itself.

Kevin Beaumont, a security researcher, was among the first to expose the problem, stating that a small number of organizations, primarily in the telecom and financial services sectors of East Asia, were prone to compromise. According to the findings, attackers routed update requests for the official Notepad++ website to malicious servers, which then delivered harmful updates to specific victims.

Don Ho, the inventor of Notepad++, later revealed the results of a more in-depth examination conducted with external security experts and the hosting provider. The research revealed that attackers had achieved infrastructure-level access, allowing them to capture traffic from individual users. Importantly, there was no evidence that other clients on the shared server were targeted. The investigation revealed that the breach likely started in June 2025 and continued until early September, when routine system maintenance updated the server’s kernel and firmware. However, credentials stolen earlier allowed the attackers to maintain some level of access until December 2, during which time malicious updates could still be delivered.

Rapid7's technical investigation linked the operation to Lotus Blossom, a well-known Chinese cyber espionage group that has been active for over a decade. The proprietary malware employed in this attack was known as Chrysalis. According to experts, the breach demonstrates how advanced threat groups are now targeting trusted software update systems in order to obtain access secretly. It also emphasizes the growing necessity for more stringent security assessments throughout the entire software supply chain.

In response, Notepad++ has moved to a new hosting provider and added stronger client-side checks to ensure update integrity. This incident highlights why software update security, hosting provider protection, and supply chain cybersecurity are critical. Even trusted tools can become attack targets, reminding users and organisations to stay alert and keep systems updated with verified sources only.

This article is based on information from Security Week