Overview
- In a February 2 advisory, Notepad++ said attackers intercepted traffic to its update endpoint and served malicious manifests to selected users from June until at least November 10, with residual access ending December 2, 2025.
- The hosting provider reported the shared server was compromised until September 2, 2025, that stolen internal-service credentials enabled continued redirection until December 2, and that no other customers on the server were affected.
- Multiple researchers assessed the campaign as likely Chinese state-sponsored, Rapid7 attributed it to the Lotus Blossom group, and Kevin Beaumont observed incidents at telecom and financial firms with ties to East Asia.
- Remediation is complete, with the site migrated to a new host, vulnerabilities patched, credentials rotated, and a logged re-exploitation attempt blocked after fixes.
- Client defenses now verify installer certificates and signatures and use signed update XML since v8.8.9, with mandatory enforcement planned for v8.9.2 next month, while the exact interception mechanism remains under investigation.