Red skull and bone showing Chinese hackers compromised software updates

Chinese Hackers Compromised Notepad++ Software Updates For Nearly Half a Year, But Only “Select” Targets Breached

State-sponsored Chinese hackers are thought to have been behind a long-term compromise of the popular Notepad++ text and code editor that stretched throughout the latter half of 2025, breaching a hosting provider to serve malicious updates. Their access was cut off as of December 2, but a “highly selective” collection of users may have been compromised if they received updates beginning in June 2025.

Chinese hackers used Notepad++ access to attack specific targets

Security researchers believe that Chinese hackers are to blame for the attack in part because of the “selective” nature of the targets that were chosen for follow-on compromise. Notepad++ is a free and broadly popular piece of software that is thought to have tens of millions of users worldwide, but the threat actors followed up with only a limited number of targets that were mostly located in East Asia and in possession of espionage information of interest to the Chinese government.

The compromise allowed the Chinese hackers to direct the malicious software updates only to their specific targets of interest, something that likely helped the incident stay below the radar for so long. The targets were selectively connected to malicious servers rather than the normal update servers that most Notepad++ users continued to get their software updates from during the breach window.

The server with the Notepad++ update application was compromised sometime in June 2025. Notepad++ version 8.8.9, released in December, removes the attacker’s access. The Chinese hackers were actually temporarily removed in September during a server kernel and firmware update, but reestablished access using internal credentials stolen during the prior breach window. Version 8.8.9 forward of Notepad++ now verify installer certificates and signatures and cryptographically sign update XML. Version 8.9.2, slated for release sometime in early March, will enforce mandatory certificate signature verification.

Security researchers believe that the Chinese hackers are a team called “Lotus Blossom” or “Raspberry Typhoon.” While they have not grabbed the same headlines that the other “Typhoon” outfits have in recent years, the group is thought to have been active since at least 2009 and has an established reputation for effective spearphishing and watering hole attacks and tends to focus on Southeast Asia and Central America. The group also made use of a never-before-seen backdoor called “Chrysalis” as part of the Notepad++ attack.

Malicious software updates prompted signs of intrusion, but no indicators of compromise

Specific organizations have not been named, but one of the security teams investigating the incident said that the Chinese hackers targeted at least three specific entities and that they were focused on East Asia. A follow-up by Kaspersky more specifically traced the campaign to targeting of organizations in Australia, Vietnam, El Salvador and the Phillipines, though this is not necessarily the full extent of entities hit by the malicious software updates. The attack’s structure somewhat reflects that of the most notorious supply chain attack of all time, the breach of SolarWinds several years ago, but at this point it appears both the breach window and the scale of the damage is much more limited.

The Notepad++ team says that it spent a week analyzing about 400 GB of server logs from its breached hosting provider, but does not see any concrete indicators of compromise and did not receive any from the host. The software has since migrated to a new host. A follow-up on the Chrysalis backdoor by researchers with security firm Rapid7 has since listed file and network indicators.

A recent threat landscape report from security firm Cyble shows a 93% increase in supply chain attacks in 2025, with a frequency of about 26 per month in most months of the year. Following the example set by SolarWinds, hackers continue to heavily target IT and technology firms as a means of gaining access to multiple downstream targets via compromised software updates. IBM’s 2025 Cost of a Data Breach report indicates that the average cost of a supply chain attack is up to $4.91 million, with that number rising by nearly $1 million in the industrial sector, and larger organizations can expect downtime costs of up to $125,000 per hour.

The world’s most advanced threat actors, such as the Chinese hackers highlighted in this story, can be expected to restrain themselves from mass abuse of the access to software updates to instead take a quiet approach focused on their targets of greatest interest; widespread indiscriminate attacks or data theft would likely cause supply chain attacks to be detected in a matter of days or hours rather than months. Even private criminal groups, such as Lapsus$ and Scattered Spider, tend to roll their attacks out slowly and stagger them to maximize use of access to an “upstream” provider.

Jason Soroko, Senior Fellow at Sectigo, expands on necessary defensive measures: “This incident highlights the insidious nature of selective supply chain attacks, where the attacker’s restraint, which is to only target only high-value victims while leaving the majority of users untouched. This allowed them to maintain access for six months without triggering broad alarms. By compromising the hosting infrastructure to deliver poisoned updates, the attackers likely sought to gain Remote Code Execution (RCE) on developer workstations. These environments are high-yield targets for espionage, as they often contain hardcoded credentials (SSH keys, cloud API tokens), direct access to source code, and privileged routes into production networks, effectively turning the developers’ own tools into backdoors for lateral movement. To defend against such surgical compromises, organizations must adopt a “Zero Trust” approach to software updates, verifying not just the binary’s signature but the integrity of the update channel itself. The move to sign the update XML (XMLDSig) is a critical evolution; it ensures that the instruction to update comes from the maintainer, preventing attackers who control the server from tricking the client into downloading a malicious file even if they can’t forge the binary’s signature. Additionally, security teams should enforce strict network egress filtering, which is about blocking text editors from making unapproved external connections. and require out-of-band hash verification for sensitive tools to confirm that the file received matches the developer’s official release.”

Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, adds: “I’ve been tracking how state actors weaponize developer ecosystems for two years. North Korea industrialized npm. China just industrialized the delivery layer. APT31 never touched the Notepad++ source code, never compromised the build pipeline, never broke a signature. They lived inside the hosting provider for six months, filtered update requests by IP range, and hand-delivered trojanized installers to East Asian telecom and financial targets while millions of other users pulled clean copies. The software supply chain has shifted from a development pipeline to a liability pipeline, and this attack exploited the gap most organizations still don’t instrument: the path between a vendor-signed binary and your endpoint. Security teams need to stop treating ‘came from the right domain’ as provenance. Auto-updaters are remote code execution pipelines. Kill direct-to-internet updates for developer tools; force them through an internal repository that re-validates the vendor’s code-signing certificate and blocks anything not signed by the expected publisher. Notepad++ had to add exactly that signature/certificate check after update traffic was redirected to attacker infrastructure. Then hunt the behavior, not the brand. Distribution-layer compromise turns ‘update’ into ‘hands-on-keyboard’ fast, and you won’t catch it with build-pipeline controls.”