Notepad++ hosting breach attributed to Lotus Blossom

Notepad++ update channel hijacked: what happened and what to do

Researchers linked a months-long breach of the hosting infrastructure behind Notepad++ to the China-nexus group Lotus Blossom. The attackers compromised shared hosting and intermittently redirected update checks to rogue servers, selectively delivering malicious payloads between June and December 2025. The Notepad++ developer tightened the updater’s certificate/signature checks, rotated credentials and moved hosting. Victims appear targeted rather than broad-based. Users are urged to update promptly and verify sources for installers and updaters.

For several months in 2025, the update traffic for Notepad++ took a wrong turn. According to THN, a China-linked crew known as Lotus Blossom compromised the app’s hosting (not the code), then quietly redirected some users’ update checks to attacker-controlled servers. Those “special deliveries” could install malicious components, but the campaign looked targeted, not a free-for-all. The maintainer has since rotated credentials, hardened the update verifier and moved hosting.
Why this matters: software updates are a trust anchor. If attackers control where your app phones home, they can feed it poisoned files. This wasn’t a Notepad++ coding flaw; it was an infrastructure-level detour.

What to do (teams and individuals):
• Upgrade to the latest build and fetch installers from the official site only.
• Verify signatures and keep an eye on any auto-updater processes.
• In enterprises, pin update domains, log hash/signature validation, and alert on sudden endpoint or certificate changes for update endpoints.

Bigger picture: treat update infra like production crown jewels: strict TLS, short-lived creds, monitoring for DNS/CDN changes, and signed metadata (think TUF-style). It’s dull housekeeping—until it isn’t.