Insights / Blog

BreachWatch™: Notepad++ update infrastructure compromise (Chrysalis)

February 25, 2026

Blog-Posts--3-250226-Perimeter-(1)

February 2026

Incident type: Supply-chain / update-delivery infrastructure compromise (hosting-provider layer), with selective redirection of update traffic.

Operational impact: Targeted users who updated via the built-in updater could be served trojanized installers from attacker-controlled servers (not a Notepad++ source-code compromise)

Malware delivered: A custom backdoor dubbed “Chrysalis” (plus additional tooling reported by responders).

Timeline: ~June–December 2025, with attacker access evolving over time (initial hosting compromise, then retained access via credentials).

Attribution (reported): Researchers and reporting attribute the campaign to a China-linked group commonly tracked as Lotus Blossom (a.k.a. Billbug / Lotus Panda)

Why it matters: This is the supply-chain failure mode teams routinely miss: distribution and update plumbing can become the attack surface – even when the software project itself isn’t compromised.

What happened

Notepad++’s update traffic was hijacked through a compromise at the hosting-provider / update-delivery infrastructure layer. Rather than exploiting a bug in the Notepad++ codebase, the threat actor selectively redirected update requests from certain targeted users to attacker-controlled servers that delivered malicious installers.

Public reporting places activity beginning around June 2025 and persisting for months, with full cutoff occurring in early December 2025 – a long dwell time for an update-path compromise.

Researchers and reporting attribute the campaign to the China-linked espionage group Lotus Blossom, and describe the delivered backdoor as Chrysalis.

VRM takeaways

  • “Trusted software” can be an untrusted delivery channel.
    If the update mechanism or the infrastructure behind it can be redirected, a legitimate product becomes a distribution vector – without touching source code.
  • Targeted supply-chain attacks won’t look “big” until they hit you.
    Selective redirection reduces noise and can evade broad telemetry, which is why monthslong compromise windows are possible.
  • Questionnaires don’t cover real exposure.
    A vendor can “pass” controls on paper while their delivery dependencies (hosting, CDNs, update scripts, signing/verification paths) remain fragile – or unverified.

How Perimeter helps in incidents like this

Perimeter is built for supply-chain moments where speed and evidence matter more than assumptions. Here’s how the platform maps to the exact failure modes in this incident:

1. Monitor the blast radius (fast)

  • Identify which teams, endpoints, and vendor relationships depend on a given tool – and how it’s distributed (direct download vs. built-in updater, managed packaging, etc.).
  • Track breach and threat signals tied to the vendor and its infrastructure providers so reassessment triggers automatically, not ad hoc.

2. Verify what’s true (not just what’s claimed)

  • Correlate external signals (incident reporting, threat research, infrastructure indicators) against vendor statements – so “we’re not affected” becomes validated, not assumed.

3. Extract the facts from messy disclosures

  • Turn advisory writeups and vendor notices into structured fields: timeline, affected update paths, indicators, required customer actions, and evidence requests – so your team moves in hours, not days.

4. Assess impact in context

  • Score risk based on your actual dependency and exposure (who uses it, where it runs, what it touches), not generic severity.

5. Share an “impact check” that’s auditable

  • Send a standardized outreach to internal stakeholders and external vendors (if relevant) to confirm:
    • whether Notepad++ is present,
    • whether the built-in updater was used in the window,
    • whether any detections or suspicious updater behavior occurred,
    • and what remediation evidence exists.

6. Respond to closure (with proof)

  • Orchestrate remediation tasks (upgrade paths, endpoint validation, logging review, evidence capture) with owners, due dates, and artifacts – so you can answer: who was exposed, what changed, and what’s still open.

Immediate response checklist (use now)

If you have vendors with access to sensitive customer data:

  1. Scope usage: Confirm where Notepad++ is installed and how it’s updated (built-in updater vs. managed packaging vs. direct download).
  2. Contain and harden: Ensure endpoints are on versions with improved update verification where applicable, and prefer controlled software distribution channels.
  3. Hunt for signs of updater abuse: Review endpoint telemetry around update events during June–December 2025 and investigate anomalies (unexpected installer execution, unusual network destinations during update flows).
  4. Document everything: Capture what you checked, what you found, and what you changed – so you have defensible evidence for leadership, auditors, and incident response.

How Perimeter helps (mapped to this scenario)

  • Monitor: Continuous vendor signals so you’re not waiting on vendor updates to detect elevated risk.
  • Assess: Align vendor tiering and review depth to real access/criticality (especially when SSNs are in play).
  • Verify: Validate vendor claims against independent signals and evidence – surface gaps faster.
  • Extract + Share: Centralize requests and supporting documentation, reduce back-and-forth, and keep everything searchable.
  • Respond: Run structured incident outreach and tracking so time-to-clarity doesn’t drag on.

Bottom line

This wasn’t an open-source code flaw – it was a trust failure in the distribution pipeline. By compromising the hosting/update infrastructure and selectively redirecting traffic, attackers turned a widely used tool into a targeted delivery mechanism.

Modern supply-chain risk isn’t just about what software you use – it’s about where and how it’s delivered. Perimeter helps you see the dependency, validate real signals, and drive response to closure – with proof.

Run an Impact Check

Turn this incident into an auditable impact check – identify where the tool is used, validate exposure, and track closure in one place.

Run an Impact Check

FAQ

Public reporting describes a compromise of update-delivery infrastructure (hosting-provider layer) and selective redirection of update traffic - not a source-code breach.
Reporting indicates the campaign was selective, targeting specific users/organizations rather than a broad consumer blast.
Researchers and reporting describe a custom backdoor dubbed Chrysalis, associated with the campaign attributed to Lotus Blossom.
Monitor and Verify for continuous signals and validation; Extract to structure disclosures; Assess to score impact; Share for auditable impact checks; Respond to drive remediation to closure.

You May Also Like

SEC compliance and financial security concepts represented by interconnected icons and a fiscal building, emphasizing data protection, regulatory adherence, risk management, and digital security in finance.
Learn more
Path to success in 2022, illustration of a running track with "2022" and "2023" on it, symbolizing new beginnings, goals, and growth in business or sports. Perfect for marketing, event planning, or sports industry content.
Learn more
Cybersecurity digital security threat warning with padlock and data breach icons representing data security and cyber risk protection.
Learn more

What Users Say

Yan S.
Manager of Cybersecurity Operations
Customer Experience is Great!

The Perimeter team has been incredibly receptive to feedback and requests for help. Perimeter has been essential to us being able to track and be able to complete security assessments.

Jaimin P.
Senior Risk Manager
Best Vendor Management Tool!

Perimeter was very fast for our team to implement and start using. They also have an unlimited user model, which works in our favor, and the platform is straightforward to use.

Ryan K.
Principal Consultant
GREAT ASSESSMENT PLATFORM

Perimeter is an extremely easy-to-use and flexible assessment platform. The tool is agnostic to any one methodology. It can be customized to your company’s specific rule sets to measure vendor’s risk or leverage one of Perimeter’s templates. Their support team is super helpful if you want to get more detailed, and the team is always willing to help walk you through something.

Bella R.
Senior Cybersecurity Risk Manager
Perimeter has great features!

Perimeter provides a user-friendly interface, customizable workflows, integration capabilities with other systems, and its ability to centralize and manage vendor information effectively.

Danny F.
Account Executive
I consider Perimeter experts!

Perimeter is intuitive and the knowledge base helps a ton with responding to RFP's and client assessments that we receive. As a salesperson, it is super helpful to have pre-approved responses that we can leverage to respond to questions.

Robert P.
Director of Security
Vendor Risk Management made simple

Perimeter ensures we are answering questions from different clients the same, and also saves us a lot of time to do it.

Omar C.
Information Systems Security Manager
Great tool for our company

The integration with Excel sheets and the ability to work with websites seamlessly has been a tremendous asset for me on audits.

Nupur V.
System Security Analyst
Excellent with Data Processing

The Perimeter team was really proactive in engaging with requirements. I would say very comitted and positive team. They were also flexible with the changing requirements and delivered the product within the project timeline.

Derek P.
Information Security Analyst
I didn't know I needed it, now I have to have it

If you want a tool that comes pre-populated and you can start using day one, get this one. If you want a tool and is highly customizable and can quickly be modified to suit your needs. If you want a tool that has excellent support, use this one. I'm certain there are things that Perimeter doesn't do excellently, but I haven't found them yet.