Overview
- Investigations found attackers hijacked hosting-provider infrastructure to redirect Notepad++ update requests and deliver malicious manifests to selected users.
- Attack activity began around June 2025 and persisted until discovery on December 2, with provider maintenance on September 2 disrupting server access but stolen service credentials remaining usable.
- Security firms, including Rapid7, assess the operation as likely conducted by the China-linked APT Lotus Blossom and identify a bespoke backdoor researchers call Chrysalis.
- Notepad++ migrated to a new host and issued clean releases (8.8.9 and current 8.9.1), and the WinGUp updater now validates installer certificates and digital signatures.
- Upcoming versions will enforce checks on signed update-XML (8.9.2+), and users are advised to manually download official builds and avoid the built-in updater on older installations.