Notepad++ Breach Advisory

Executive Summary

On December 9th, text editor application Notepad++ reported an incident where some of their software update infrastructure had been hijacked to deliver sophisticated backdoor malware to specific targets. Rapid7 published some additional analysis on one of the payloads delivered and attributed the campaign to Chinese state sponsored APT group Lotus Blossom.

The attack appears to be highly targeted, as reporting indicates only specific traffic results in malicious packages delivered. Reporting from Kaspersky added that attacker infrastructure was constantly rotated and tailored to attack specific intended targets.

The incident was a man-in-the-middle attack against the update infrastructure, not against Notepad++ code itself. Because the attack compromised the update process, Beazley Security, out of an abundance of caution, recommends affected users delete existing versions of Notepad++ and install fixed versions from scratch as soon as possible.

Affected Systems and Products

Patches

Security fixes were made available at the time of reporting and are available via normal update channels. Because the attack compromised the update process, Beazley Security, out of an abundance of caution, recommends users delete current installs of Notepad++ and install patched versions from scratch as soon as possible.

Indicators of Compromise (IOCs)

IOCs have been provided by both Rapid7 and Kaspersky, though their usefulness may be limited as the threat actor has been observed rotating out almost all pieces of infrastructure from C2 servers to malware families and payload hashes.

That said, we will include a limited summary of them here to assist with threat hunts.

Technical Details

The attack itself was limited in scope; a former hosting provider for Notepad++ had a server compromised sometime in June 2025, and the threat actors persisted access until December 2025. In that time the threat actor was selectively redirecting specific targeted users to trojaned, malicious update packages. The attack was narrow to a degree that analysis from Kaspersky indicates as few as a dozen individual machines were specifically targeted. Changes referenced in Notepad++’s patch notes indicate that this man-in-the-middle supply chain attack was possible because of a lack of signature verification in the updater programs and on update server XMLs returned to the client.

Notepad++ has changed hosting providers for their update infrastructure and fixed their update process to include more strict signing certificate checks.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• ‍Notepad++: v8.8.9 release: Vulnerability-fix‍
• Notepad++: Hijacked by State-Sponsored Hackers‍
• Rapid7: The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit‍
• Securelist: The Notepad++ supply chain attack — unnoticed execution chains and new IoCs