A recent security breach linked to the group known as Lotus Blossom has compromised the infrastructure of Notepad++, allowing for the dissemination of a new backdoor named Chrysalis. According to findings from Rapid7, this incident is particularly concerning as it involved exploiting vulnerabilities in the hosting provider's update traffic management, a situation that persisted until December 2, 2025.
The attack was initiated by redirecting update requests to malicious servers, which was facilitated by inadequate verification controls in earlier software versions. Notepad++'s maintainer, Don Ho, confirmed that a fix was implemented in December 2025 with the introduction of version 8.8.9. Following the breach, the software has transitioned to a more secure hosting provider and updated all related credentials.
Rapid7's investigation determined that the malware's installation process involved executing 'notepad++.exe' and 'GUP.exe', leading to the suspicious 'update.exe', which originated from an identified IP address. This installer, based on the Nullsoft Scriptable Install System, contains multiple components designed to facilitate unauthorized access and actions on compromised systems. Although the command-and-control server is currently offline, the malware exhibits capabilities for extensive system manipulation.