The campaign appears to have started mid-2025, with the compromised server remaining accessible until early September 2025, after which attackers maintained access using credentials obtained beforehand.

Attackers compromised the update infrastructure, redirecting requests to malicious servers and exploiting weak update verification in older Notepad++ versions.

Notepad++ disclosed a December 2025 supply-chain attack in which a likely Chinese government–sponsored actor targeted users by intercepting and redirecting update traffic through the hosting provider.

Security guidance for organizations includes monitoring for unusual network activity from gup.exe, unexpected installer processes, and suspicious TEMP files, plus considering traffic or process blocks in large deployments lacking strong monitoring.

Attribution ties Lotus Blossom to prior campaigns and notes a shift toward evasion with multi-layered shellcode loading and undocumented system calls.

The article references related supply-chain incidents and broader concerns about package integrity in software ecosystems.

Security expert Kevin Beaumont noted awareness of three East Asia–related organizations experiencing incidents potentially tied to Notepad++.

On-path attacks can be hard to detect and may leave limited forensic evidence, complicating attribution and investigations.

The incident is discussed in the broader context of Windows text-editing tools evolving with AI features, inviting readers to share preferences in the discussion.

Analysts describe a mix of custom malware (Chrysalis) and commodity frameworks (Metasploit, Cobalt Strike), with rapid adaptation from public research to evade detection.

Notepad++ emphasizes ongoing verification and logging to confirm cessation of malicious activity and maintain vigilance against future threats.

The breach underscores that even popular, trusted tools can be weaponized, highlighting the need for robust software supply-chain security and user vigilance.