Full Report
Threat actors compromised the update infrastructure for Notepad++, redirecting traffic to an attacker controlled site for targeted espionage purposes.Key takeaways:Beginning in June 2025, threat actors compromised the infrastructure Notepad++ uses to distribute software updates. The issue has been addressed and Notepad++ have released 8.9.1 which now includes XML signature validation (XMLDSig) for security updates. Reports suggest that the attack was carried out by a Chinese threat actor known as Lotus Blossom.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the disclosure of a supply chain compromise of Notepad++.FAQWhat happened with Notepad++?On February 2, Don Ho, creator of Notepad ++, a source code and text editor for Windows, published a blog detailing the investigation into a supply chain security incident.What kind of security incident is this?According to the blog post, threat actors compromised the infrastructure by which Notepad++ would distribute software updates. This compromise allowed the attackers to redirect update traffic from its intended destination (notepad-plus-plus dot org) to an attacker-controlled site.When did this security incident begin?The security incident began in June 2025.How long did the security incident last for?Roughly six months. The compromised infrastructure was accessible until September 2, 2025. However, because the attackers possessed valid credentials for the internal services of the infrastructure provider, they were able to continue redirecting Notepad++ update traffic until December 2, 2025.Was this incident known prior to February 2?Yes, Ho published a blog post on December 9 regarding the release of version 8.8.9 and noted that security experts “reported incidents of traffic hijacking affecting Notepad++.” The full scope of the security incident wasn’t known at the time as the investigation was ongoing.Has this attack been linked to a specific threat actor?Yes, reports suggest that the attack was carried out by a Chinese threat actor known as Lotus Blossom, also known as Bilbug, Raspberry Typhoon or Thrip.What do we know about Lotus Blossom?Lotus Blossom has been operating since 2009, known for deploying various backdoor malware. Regionally, the group has a penchant for targeting entities across Asia including government and the defense sector.How widespread was this Notepad++ attack?Despite the widespread usage of Notepad++, reports indicate that Lotus Blossom focused more on espionage of certain targets through the deployment of malware rather than financially motivated cybercrime like ransomware or extortion.Were there any vulnerabilities associated with this security incident?No, no CVEs have been assigned for this security incident because the attacks centered on compromising the Notepad++ infrastructure provider and updater.Are there software updates available for this security incident?Yes, Notepad++ have released 8.9.1 which now includes XML signature validation (XMLDSig) for security updates with additional signing enforcement expected in version 8.9.2.Affected ProductAffected VersionsFixed VersionsNotepad ++8.9 and lower8.9.1 and aboveHas Tenable released any product coverage for these vulnerabilities?Yes, a Tenable plugin to identify vulnerable versions of Notepad++ can be found here.This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationNotepad++ Hijacked by State-Sponsored HackersNotepad++ v8.8.9 release: Vulnerability-fixJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Incident Report: Notepad++ Update Infrastructure Supply Chain Compromise
## Executive Summary
Threat actors, strongly suspected to be the Chinese state-sponsored group Lotus Blossom, compromised the Notepad++ software update infrastructure beginning in June 2025. This allowed attackers to redirect update traffic to an attacker-controlled server for targeted espionage. The compromise lingered until December 2025, despite initial detection in December 2025, due to attackers retaining valid credentials for the infrastructure provider's internal services. Notepad++ has since mitigated the issue by releasing version 8.9.1 with XML digital signature validation (XMLDSig).
## Incident Details
- **Discovery Date:** December 9, 2025 (Initial alert regarding traffic hijacking, full scope known later)
- **Incident Date:** Began June 2025
- **Affected Organization:** Notepad++ (Developer/Software Provider)
- **Sector:** Software Development / IT Utilities
- **Geography:** Global (Affecting all users receiving updates)
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning June 2025
- **Vector:** Compromise of the Notepad++ software update infrastructure provider.
- **Details:** Threat actors gained access to the infrastructure responsible for distributing software updates, allowing them to redirect traffic originally destined for `notepad-plus-plus dot org` to an attacker-controlled site.
### Lateral Movement
- **Date/Time:** Ongoing through the compromise period (June 2025 – December 2025)
- **Vector:** Utilization of valid credentials for the internal services of the infrastructure provider.
- **Details:** The attackers maintained and extended the compromise by possessing valid credentials, which allowed them to continue redirecting traffic even after the publicly accessible infrastructure component was addressed on September 2, 2025.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the compromise period.
- **Vector:** Targeted espionage through deployment of malware via malicious updates.
- **Details:** The primary impact was the ability to serve malicious updates to targeted users for espionage purposes, rather than large-scale monetary cybercrime.
### Detection & Response
- **Date/Time:** December 9, 2025
- **Vector:** External reporting/discovery by security experts.
- **Details:** Don Ho published a blog noting that security experts reported incidents of traffic hijacking affecting Notepad++. Investigation and remediation efforts followed. The compromise was confirmed and detailed on February 2 (year unspecified, presumed 2026 based on timeline).
- **Remediation:** Notepad++ released version 8.9.1, incorporating XML signature validation (XMLDSig), and planned further enforcement in 8.9.2. The malicious redirection ended around December 2, 2025.
## Attack Methodology
The attack focused specifically on the software supply chain/update mechanism, not application vulnerabilities.
- **Initial Access:** Compromise of the infrastructure provider hosting the update distribution services.
- **Persistence:** Maintaining valid credentials within the infrastructure provider's internal services to sustain the update redirection until December 2, 2025.
- **Privilege Escalation:** Not explicitly detailed, but likely involved escalating access within the infrastructure provider's environment to maintain control over the update redirection mechanism.
- **Defense Evasion:** Utilizing compromised, trusted infrastructure to deliver malicious updates.
- **Credential Access:** Gained valid credentials for internal services of the third-party infrastructure provider.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Confirmed using credentials to maintain control past the initial public infrastructure cleanup (Sept 2nd deadline).
- **Collection:** Focused deployment of espionage malware.
- **Exfiltration:** Targeted espionage activities via delivered malware.
- **Impact:** Successful supply chain compromise allowing for targeted espionage against users deploying malicious updates.
## Impact Assessment
- **Financial:** Not detailed in the summary.
- **Data Breach:** Focus was on espionage; specific data exfiltration type/volume unknown, but malware was deployed to targeted systems.
- **Operational:** Disruption to the integrity of the software update process for Notepad++ users.
- **Reputational:** Significant due to the nature of a high-profile supply chain compromise affecting a widely used utility.
## Indicators of Compromise
- **Network indicators (defanged):** Redirection of traffic from notepad-plus-plus dot org to an attacker-controlled site.
- **File indicators:** Deployment of backdoor/espionage malware via malicious updates (Specific hashes not provided in summary).
- **Behavioral indicators:** Activity linked to the Chinese threat actor Lotus Blossom (Bilbug/Raspberry Typhoon/Thrip).
## Response Actions
- **Containment:** Addressing the compromised update infrastructure (achieved by September 2, 2025, based on initial infrastructure cleanup).
- **Eradication:** The full persistence mechanism (using valid internal credentials) was terminated by December 2, 2025.
- **Recovery:** Release of Notepad++ version 8.9.1, which implements XML Digital Signature Validation (XMLDSig) to secure subsequent updates.
## Lessons Learned
- **Supply Chain Risk:** Compromising infrastructure components (update servers) is a highly effective method for targeted supply chain attacks, even when the core application code is clean (no CVEs were assigned).
- **Credential Management:** Possession of valid internal credentials allowed the threat actor to maintain long-term access well past initial detection/cleanup efforts.
- **Update Integrity:** Lack of robust cryptographic verification (like XMLDSig) in the update mechanism was the critical technical weakness exploited.
- **Attribution:** The attack strongly aligns with the operational history of the Chinese threat actor, Lotus Blossom.
## Recommendations
- **Implement Strong Code Signing:** Enforce digital signature validation (XMLDSig or similar) on all software updates to prevent man-in-the-middle injection of malicious binaries.
- **Infrastructure Hardening:** Conduct routine audits and credential rotation for all internal service accounts used by third-party infrastructure providers.
- **Zero Trust Principles:** Minimize the scope of trust granted to single-purpose external infrastructure components to prevent prolonged persistence via compromised credentials.