VERY IMPORTANT

A state-sponsored threat group known as Lotus Blossom compromised the official hosting infrastructure for Notepad++ between June and December 2025. The attackers hijacked traffic to the update server, allowing them to selectively target specific users, primarily in Southeast Asia across government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading to deploy a Chrysalis backdoor. The campaign affected additional sectors in South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The sophisticated supply chain attack leveraged insufficient verification controls in older versions of the Notepad++ updater.