The popular open source txt editor Notepad++ has been targeted in a sophisticated supply chain attack by a suspected state sponsored threat actor.
Investigations by the software's creator, a private incident response provider and security provider Rapid7 have confirmed that the attack abuses software distribution architecture, rather than exploiting the software itself.
The author of the project used a 3rd party infrastructure provider to distribute software updates to users, which has reportedly been discontinued at the time of writing.
The threat actor compromised this 3rd party and were able to perform an AITM/Redirection attack which meant that users downloaded a malicious update.
Once downloaded, the malicious software component performs a suite of malicious actions designed to maintain persistent access and remain undetected by security software.
The following actions have been identified during research by Rapid7:
- Creation of malicious executable files
- DLL Side-loading
- Real-time code obfuscation using encrypted code pages commonly used to avoid malware analysis
- Connection to an external command and control channel for further malicious activity.
- Traditional persistence mechanisms including malicious services and registry keys
The functionality of the malware once running on a compromised machine includes full reverse shell access within the context of the executing program, writing and reading arbitrary files on disk, self removal, and others.
The window of access for the threat actor was reportedly from June 2025 to December 2025.
Since the attack, the Notepad++ Author has changed hosting providers, initiated an incident response process, and released security updates (v8.9.1) to the Notepad++ software.
If users within your organisation have used notepad during the relevant time window, it is prudent that an investigation and compromise assesment is carried out using EDR telemetry or digital forensic analysis to identify whether the malicious update had been applied.
IoCs from Rapid7's investigation are available here: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
These can be used to perform investigations.
Sophisticated 3rd party attacks of this nature are hard to mitigate against, since no user interaction was required other than updating the software using official channels.
Therefore it is vitally important that the correct monitoring (EDR) and prevention (Anti-Virus) measures are in place within your organisation.
If you suspect that this incident may have affected your organisation, contact the Integrity360 SOC or the Integrity360 Incident Response Team for assistance.