Lotus Blossom Notepad++ updater compromise campaign
Campaign
Summary
Hide ▲
Show ▼
The Lotus Blossom operation compromised the Notepad++ updater and selectively redirected update requests from specific users to malicious servers, creating a supply-chain risk for trusted software updates. The campaign was attributed to a China-linked threat group and lasted from June 2025 until discovery on December 2, 2025. Attackers abused weak update verification controls in older versions, letting malicious code ride along an official update path.
Related Happenings
Notepad++ version 8.9.2 double-lock update hardening
Security Patch Release
First: 17.02.2026 20:29
Last: 17.02.2026 20:29
Sources 1
How related:
The new mechanism landed in Notepad++ version 8.9.2, announced yesterday, although work on it began in version 8.8.9 with implementing the verification of the signed installer from GitHub.
About this happening:
**Notepad++ version 8.9.2** introduces a **double-lock** update mechanism that reduces **supply-chain compromise risk** in the auto-update path. The release verifies the **signed...
Notepad++ version 8.9.2 double-lock update hardening
Security Patch ReleaseHow related: The new mechanism landed in Notepad++ version 8.9.2, announced yesterday, although work on it began in version 8.8.9 with implementing the verification of the signed installer from GitHub.
About this happening: **Notepad++ version 8.9.2** introduces a **double-lock** update mechanism that reduces **supply-chain compromise risk** in the auto-update path. The release verifies the **signed...
Notepad++ hit by network compromise
Incident
First: 03.02.2026 06:55
Last: 03.02.2026 06:55
Sources 1
About this happening:
The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...
Notepad++ hit by network compromise
IncidentAbout this happening: The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...
Latest development: 18.02.2026 09:40
Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.
Chinese state-sponsored campaign to hijack Notepad++ update traffic
Campaign
First: 02.02.2026 16:53
Last: 02.02.2026 16:53
Sources 1
About this happening:
A **months-long campaign** hijacked **Notepad++ update traffic**, selectively sending some users to malicious servers and threatening the integrity of software updates. The operat...
Chinese state-sponsored campaign to hijack Notepad++ update traffic
CampaignAbout this happening: A **months-long campaign** hijacked **Notepad++ update traffic**, selectively sending some users to malicious servers and threatening the integrity of software updates. The operat...
Microsoft security patch release for CVE-2026-20805
Security Patch Release
First: 14.01.2026 02:47
Last: 14.01.2026 02:47
Sources 1
About this happening:
**Microsoft** released January 2026 security updates for **Windows** and supported software, fixing **at least 113 vulnerabilities** and **8 critical flaws**. The release includes...
Microsoft security patch release for CVE-2026-20805
Security Patch ReleaseAbout this happening: **Microsoft** released January 2026 security updates for **Windows** and supported software, fixing **at least 113 vulnerabilities** and **8 critical flaws**. The release includes...
Notepad++ WinGUp update hijack security flaw
Vulnerability
First: 11.12.2025 23:04
Last: 11.12.2025 23:04
Sources 1
About this happening:
**Notepad++'s WinGUp updater** had a security weakness that could let **malicious executables** replace legitimate update packages, creating an **attacker-controlled update path**...
Notepad++ WinGUp update hijack security flaw
VulnerabilityAbout this happening: **Notepad++'s WinGUp updater** had a security weakness that could let **malicious executables** replace legitimate update packages, creating an **attacker-controlled update path**...
Timeline
-
17.02.2026 20:29 1 articles · 3mo ago
Rapid7 and Notepad++ disclose the Lotus Blossom updater compromise on December 2, 2025
Technical Analysis UpdateRapid7 and Notepad++ identified a six-month supply-chain compromise of the Notepad++ updater infrastructure on December 2, 2025, after a compromised hosting provider selectively redirected update requests from specific users to malicious servers. The campaign began in June 2025, exploited weak update verification controls in older versions, and was attributed to the China-linked Lotus Blossom group; Rapid7 also identified a custom backdoor called Chrysalis in the attack chain.
Show sources
- Notepad++ boosts update security with ‘double-lock’ mechanism — www.bleepingcomputer.com — 17.02.2026 20:29
-
17.02.2026 20:29 2 articles · 3mo ago
Notepad++ version 8.9.2 adds a double-lock updater mechanism
Mitigation Patch UpdateNotepad++ version 8.9.2 introduced a double-lock update mechanism that verifies the signed installer from GitHub and the signed XML from notepad-plus-plus.org, making the updater more robust against the compromise that affected older versions. The release also removed libcurl.dll to eliminate DLL side-loading risk, dropped CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restricted plugin management execution to programs signed with the same certificate as WinGUp.
Show sources
- Notepad++ boosts update security with ‘double-lock’ mechanism — www.bleepingcomputer.com — 17.02.2026 20:29
- Notepad++ boosts update security with ‘double-lock’ mechanism — www.bleepingcomputer.com — 17.02.2026 20:29