Chinese State Actor Compromises Notepad++ Update Infrastructure
Severity: High (Score: 75.5)
Sources: Mbtmag
Summary
Between June and December 2025, the Chinese state group Lotus Blossom compromised the shared hosting provider for Notepad++, redirecting update traffic to deliver malicious installers to targeted users. The attackers maintained valid credentials for three months after losing direct server access and employed tactics such as DLL sideloading and a custom backdoor with reverse shell capabilities. This incident highlights a significant vulnerability in supply chain security, as organizations often focus only on code review and dependency scanning, neglecting the risks associated with trusted distribution channels. Palo Alto Networks' Unit 42 identified affected sectors including energy, financial, government, manufacturing, and software development across the U.S. and Europe. The Notepad++ compromise is part of a broader pattern of nation-state supply chain attacks that exploit trusted relationships. Cryptographic update verification is essential, as the Notepad++ attack succeeded due to older updater versions lacking signature verification. Organizations must adopt a comprehensive chain-of-custody model to enhance their defenses against such threats. Key Points: • Chinese state group Lotus Blossom compromised Notepad++ update infrastructure. • Attackers maintained access for three months, using advanced techniques like DLL sideloading. • Organizations must implement cryptographic verification to prevent similar supply chain attacks.
Key Entities
- Crink (apt_group)
- Lotus Blossom (apt_group)
- Supply Chain Attack (attack_type)
- Notepad++ Operation (campaign)
- 3CX (company)
- Codecov (company)
- SolarWinds (company)
- China (country)
- Iran (country)
- North Korea (country)
- Russia (country)
- Taiwan (country)
- Energy (industry)
- Financial (industry)
- Government (industry)
- Manufacturing (industry)
- T1071 - Application Layer Protocol (mitre_attack)
- T1574 - Hijack Execution Flow (mitre_attack)