The Notepad++ website was hijacked by 'malicious actors' last year and security researchers are picking through the wreckage

Popular open source text editor Notepad++ experienced a significant security breach last year, and now its developer has given an update regarding the attack.

It's believed that, between June and November 10/December 2, 2025 (independent security experts and its hosting provider disagree on the exact timings), a shared hosting server was compromised, allowing attackers to redirect Notepad++ update traffic to malicious servers.

"According to the analysis provided by security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org." says a statement on the now-secure website.

"The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself."

The update goes on to say that "Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign."

According to cybersecurity firm Rapid7, the attack can be contributed to Chinese APT group Lotus Blossom, a threat actor that has been known to perform "targeted espionage campaigns" primarily impacting organisations across Southeast Asia and Central America. The custom backdoor used in the attack has since been dubbed "Chrysalis", and explaining its methodology is where I start to get lost, so I'll quote directly from the Rapid7 report instead:

"Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility. It uses legitimate binaries to sideload a crafted DLL with a generic name, which makes simple filename-based detection unreliable.

"It relies on custom API hashing in both the loader and the main module, each with its own resolution logic. This is paired with layered obfuscation and a fairly structured approach to C2 communication."

Of course, of course. However, Rapid7's main concern appears to be what Chrysalis, and other tools and methods used in the attack, says about Lotus Blossom's newfound capabilities:

"While the group continues to rely on proven techniques like DLL sideloading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft," says the firm.

"This demonstrates that Lotus Blossom is actively updating their playbook to stay ahead of modern detection."

Gulp. So, while the Notepad++ developer has since switched to a different hosting provider (with what are described as "significantly stronger security practices"), it seems that Lotus Blossom is gaining strength—and some hosting providers are falling victim to its modern methods. Sleep tight, website.