Notepad++, a widely recognized open-source code editor, became the latest target of a sophisticated cyber operation orchestrated by the China-linked threat actor known as Lotus Blossom. Over a span of six months, the attackers covertly accessed critical Notepad++ infrastructure, raising new questions about the security of popular developer tools. The incident, affecting a subset of targeted users rather than the broader user base, underscores persistent risks in software supply chain defense. As discussion grows within the tech and security communities, attention now turns to both the response strategies taken and the broader threats posed by such advanced persistent threat groups.
Similar incidents in recent years have brought scrutiny to supply chain vulnerabilities within open-source projects, where attackers have exploited software updates and internal systems to compromise trust and steal information. Unlike earlier cases with more widespread consequences, such as those involving SolarWinds or malicious npm packages, this campaign primarily involved targeted espionage against select users rather than mass exploitation. Past probes into Notepad++’s security have also focused mainly on plugin vulnerabilities or unsecured update channels, but this marks one of the first times the tool’s core infrastructure proved a vector for an APT intrusion.
How Did Lotus Blossom Gain Access to Notepad++?
The Lotus Blossom group, also known as Billbug, Thrip, and Raspberry Typhoon, leveraged weak authentication mechanisms in Notepad++’s updater client to penetrate the software’s internal server beginning in June 2025. According to analysis from Rapid7, the attackers used this access to install a custom backdoor, allowing them to conduct reconnaissance and selectively monitor certain users’ activities.
Was Data Stolen from All Notepad++ Users?
Investigators have stated that there is currently no indication of mass data exfiltration from the platform. Instead, the focus of the attack appeared limited to a specific group of users, aligning with previous tactics used by Lotus Blossom for intelligence gathering.
“We have no evidence of bulk data exfiltration,”
said Christiaan Beek, Rapid7’s senior director of threat intelligence and analytics. The compromised environment primarily facilitated targeted espionage, including system profiling and command execution, rather than data theft affecting the general Notepad++ community.
What Steps Did Notepad++ Take After the Breach?
Once the attack was identified, Notepad++’s maintainer, Don Ho, released a software update in December 2025 aimed at mitigating the authentication weaknesses that enabled the incident. The Notepad++ website and related infrastructure have since been moved to a new hosting provider with enhanced security controls. Ho confirmed that while the perpetrators maintained access to certain internal systems until December, further exploitation opportunities were minimized.
“The website, which attackers targeted to exploit insufficient update verification controls that existed in older versions of Notepad++, was moved to a new hosting provider with stronger security practices,”
he disclosed in an official statement.
Analysis of the Lotus Blossom campaign demonstrates how sophisticated actors continue to leverage niche software utilities as conduits for selective intelligence collection. This case shows the importance of continuous vigilance, not only for the operators of open-source platforms but also for their large and diverse user bases—which include developers, IT professionals, and organizations in sensitive industries. For users, the incident highlights the critical need to keep software up to date and to pay attention to unusual behaviors in tools that are often trusted without scrutiny. While the current campaign appears contained, advanced persistent threats often adapt, making ongoing attention to update verification and server authentication a necessary part of software lifecycle management. Additionally, stakeholders should consider implementing enhanced threat monitoring and multifactor authentication within their IT processes.
