Chinese State Actor Compromises Notepad++ Update Infrastructure

Chinese State Actor Compromises Notepad++ Update Infrastructure

First seen 19 Mar 2026, 19:41 UTC Mbtmag 100% similarity 75.5

Article Content

Browse articles
ThreatCluster

Between June and December 2025, the Chinese state group Lotus Blossom compromised the shared hosting provider for Notepad++, redirecting update traffic to deliver malicious installers to targeted users. The attackers maintained valid credentials for three months after losing direct server access and employed tactics such as DLL sideloading and a custom backdoor with reverse shell capabilities. This incident highlights a significant vulnerability in supply chain security, as organizations often focus only on code review and dependency scanning, neglecting the risks associated with trusted distribution channels. Palo Alto Networks' Unit 42 identified affected sectors including energy, financial, government, manufacturing, and software development across the U.S. and Europe. The Notepad++ compromise is part of a broader pattern of nation-state supply chain attacks that exploit trusted relationships. Cryptographic update verification is essential, as the Notepad++ attack succeeded due to older updater versions lacking signature verification. Organizations must adopt a comprehensive chain-of-custody model to enhance their defenses against such threats.

Key Points: • Chinese state group Lotus Blossom compromised Notepad++ update infrastructure. • Attackers maintained access for three months, using advanced techniques like DLL sideloading. • Organizations must implement cryptographic verification to prevent similar supply chain attacks.

ThreatCluster AI

Timeline

2025-06-01
Lotus Blossom begins compromising Notepad++ update infrastructure
2025-12-31
Lotus Blossom's access to Notepad++ infrastructure ends
2026-03-19
Articles published detailing the Notepad++ compromise

Community

Browse all →