Full Report
Threat actors compromised the update infrastructure for Notepad++, redirecting traffic to an attacker controlled site for targeted espionage purposes.Change logUpdate February 4: This FAQ blog has been updated to note that CVE-2025-15556 was assigned for this security incident.Click here to review the change log historyUpdate February 4: This FAQ blog has been updated to note that CVE-2025-15556 was assigned for this security incident.Key takeaways:Beginning in June 2025, threat actors compromised the infrastructure Notepad++ uses to distribute software updates. The issue has been addressed and Notepad++ have released 8.9.1 which now includes XML signature validation (XMLDSig) for security updates. Reports suggest that the attack was carried out by a Chinese threat actor known as Lotus Blossom.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the disclosure of a supply chain compromise of Notepad++.FAQWhat happened with Notepad++?On February 2, Don Ho, creator of Notepad ++, a source code and text editor for Windows, published a blog detailing the investigation into a supply chain security incident.What kind of security incident is this?According to the blog post, threat actors compromised the infrastructure by which Notepad++ would distribute software updates. This compromise allowed the attackers to redirect update traffic from its intended destination (notepad-plus-plus dot org) to an attacker-controlled site.When did this security incident begin?The security incident began in June 2025.How long did the security incident last for?Roughly six months. The compromised infrastructure was accessible until September 2, 2025. However, because the attackers possessed valid credentials for the internal services of the infrastructure provider, they were able to continue redirecting Notepad++ update traffic until December 2, 2025.Was this incident known prior to February 2?Yes, Ho published a blog post on December 9 regarding the release of version 8.8.9 and noted that security experts “reported incidents of traffic hijacking affecting Notepad++.” The full scope of the security incident wasn’t known at the time as the investigation was ongoing.Has this attack been linked to a specific threat actor?Yes, reports suggest that the attack was carried out by a Chinese threat actor known as Lotus Blossom, also known as Bilbug, Raspberry Typhoon or Thrip.What do we know about Lotus Blossom?Lotus Blossom has been operating since 2009, known for deploying various backdoor malware. Regionally, the group has a penchant for targeting entities across Asia including government and the defense sector.How widespread was this Notepad++ attack?Despite the widespread usage of Notepad++, reports indicate that Lotus Blossom focused more on espionage of certain targets through the deployment of malware rather than financially motivated cybercrime like ransomware or extortion.Were there any vulnerabilities associated with this security incident?On February 2, CVE-2025-15556 was assigned for this security incident. CVE-2025-15556 is a download of code without integrity check vulnerability.Are there software updates available for this security incident?Yes, Notepad++ have released 8.9.1 which now includes XML signature validation (XMLDSig) for security updates with additional signing enforcement expected in version 8.9.2.Affected ProductAffected VersionsFixed VersionsNotepad ++8.9 and lower8.9.1 and aboveHas Tenable released any product coverage for these vulnerabilities?Yes, a Tenable plugin to identify vulnerable versions of Notepad++ can be found here.This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationNotepad++ Hijacked by State-Sponsored HackersNotepad++ v8.8.9 release: Vulnerability-fixJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Incident Report: Notepad++ Supply Chain Compromise (CVE-2025-15556)
## Executive Summary
Between June and December 2025, the update infrastructure of the Notepad++ text editor was compromised by a state-sponsored threat actor. The attackers redirected official update traffic to a malicious site to distribute malware for targeted espionage. The incident was resolved with the release of version 8.9.1, which introduced cryptographic signature validation for updates.
## Incident Details
- **Discovery Date:** December 9, 2025 (Initial public mention); February 2, 2026 (Full disclosure)
- **Incident Date:** June 2025 – December 2, 2025
- **Affected Organization:** Notepad++ / Users of Notepad++
- **Sector:** Software Development / Information Technology (Supply Chain)
- **Geography:** Global distribution; targeting focused on Asia (Government/Defense)
## Timeline of Events
### Initial Access
- **Date/Time:** June 2025
- **Vector:** Compromise of the infrastructure provider hosting Notepad++ update services.
- **Details:** Threat actors gained access to the infrastructure used to distribute software updates.
### Lateral Movement
- **Details:** Attackers obtained and utilized valid credentials for internal services of the infrastructure provider to maintain control over traffic routing.
### Data Exfiltration/Impact
- **Details:** Update traffic intended for `notepad-plus-plus[.]org` was redirected to an attacker-controlled site. This facilitated the delivery of backdoor malware to specific targets for espionage.
### Detection & Response
- **December 9, 2025:** Developer Don Ho released version 8.8.9, noting reports of "traffic hijacking" while the investigation continued.
- **December 2, 2025:** Malicious redirection was officially terminated/blocked.
- **February 2, 2026:** Final investigative blog and CVE-2025-15556 assigned; software version 8.9.1 released with security fixes.
## Attack Methodology
- **Initial Access:** Infrastructure provider compromise.
- **Persistence:** Possession of valid internal service credentials allowed the redirection to persist even after initial infrastructure fixes.
- **Defense Evasion:** Use of legitimate update channels to bypass standard perimeter security (Supply Chain Attack).
- **Credential Access:** Theft of credentials belonging to the infrastructure provider.
- **Impact:** Redirection of legitimate traffic to malicious endpoints (Traffic Hijacking).
- **Threat Actor:** Linked to **Lotus Blossom** (aka Bilbug, Raspberry Typhoon, or Thrip), a Chinese state-sponsored group.
## Impact Assessment
- **Financial:** Not primary; the actor is motivated by espionage rather than ransomware.
- **Data Breach:** Exposure of targeted systems to backdoor malware; potential theft of sensitive government and defense data.
- **Operational:** Disruption of the Notepad++ update mechanism for six months.
- **Reputational:** Significant concern regarding the trust of widely used open-source utilities.
## Indicators of Compromise
- **Network:** Redirected traffic from `notepad-plus-plus[.]org` to unauthorized external IPs (specific malicious IPs not listed in the summary but referenced as "attacker-controlled").
- **Behavioral:** Downloads of Notepad++ updates from non-standard or unauthorized domains.
- **Vulnerability:** CVE-2025-15556 (Download of code without integrity check).
## Response Actions
- **Containment:** Revocation of compromised credentials and restoration of infrastructure integrity by December 2, 2025.
- **Eradication:** Identification of the vulnerability in the update process.
- **Recovery:** Release of **Notepad++ version 8.9.1**, which implements XML Digital Signatures (XMLDSig) to validate updates before execution.
## Lessons Learned
- **Integrity Checks are Mandatory:** Relying on the security of the hosting provider or a clear-text URL for updates is insufficient.
- **Long Residency:** State-sponsored actors can maintain redirections for months if they possess deep-level infrastructure credentials.
- **Targeted vs. Mass Attack:** Even if a tool has millions of users, attackers may use a supply chain breach to surgically target a dozen high-value entities.
## Recommendations
- **Update Immediately:** All users should upgrade to **Notepad++ 8.9.1 or higher**.
- **Implement XMLDSig/Code Signing:** Software developers must ensure all updates are cryptographically signed and verified by the client-side application.
- **Infrastructure Auditing:** Regularly rotate credentials for infrastructure providers and monitor for unauthorized changes in DNS or traffic routing.