In mid-2025, Notepad++'s update mechanism was compromised due to a breach at its hosting provider, allowing a China-linked advanced persistent threat (APT) group known as Lotus Panda to hijack update traffic selectively. This supply chain attack enabled the delivery of a previously undocumented backdoor malware named Chrysalis to targeted victims. The attackers redirected update requests from specific users to malicious servers serving poisoned updates, effectively implanting malware under the guise of legitimate software updates. Notepad++ responded by releasing version 8.9.2, which introduced a "double lock" design to secure the update process. This design includes verification of the signed installer downloaded from GitHub (introduced in version 8.8.9) and newly added verification of the signed XML metadata returned by the official update server. Additionally, the auto-updater component WinGUp was hardened by removing the vulnerable libcurl.dll to prevent DLL side-loading, disabling insecure cURL SSL options (CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE), and restricting plugin management execution to programs signed with the same certificate as WinGUp. Notepad++ also patched a high-severity vulnerability (CVE-2026-25926, CVSS 7.3) involving an unsafe search path (CWE-426) that could allow arbitrary code execution if an attacker controlled the working directory when launching Windows Explorer without an absolute path. The supply chain incident itself is tracked as CVE-2025-15556 with a CVSS score of 7.7. The attack highlights the risks of software supply chain compromises and the importance of cryptographic verification of update components. Notepad++ users are strongly advised to update to version 8.9.2 and ensure downloads come from official domains to avoid infection by the Chrysalis backdoor or other malware.

European organizations using Notepad++—a widely adopted text editor among developers, IT professionals, and technical users—face significant risks from this supply chain attack. The targeted delivery of the Chrysalis backdoor enables attackers to gain persistent access, potentially leading to espionage, intellectual property theft, or disruption of operations. Given Notepad++'s popularity in software development and IT environments, compromised systems could serve as beachheads for lateral movement within networks. The arbitrary code execution vulnerability further increases risk by allowing local privilege escalation or execution of malicious payloads. The attack's selective targeting suggests high-value entities, such as government agencies, critical infrastructure operators, and technology firms, could be specifically targeted. This could result in loss of sensitive data, operational disruption, and reputational damage. The stealthy nature of supply chain attacks complicates detection and remediation, increasing potential dwell time of attackers in affected networks. Overall, the threat poses a medium to high risk to European organizations reliant on Notepad++ for development or administrative tasks.

European organizations should immediately update all Notepad++ installations to version 8.9.2 or later, ensuring downloads are obtained exclusively from the official Notepad++ domain or verified GitHub releases. Implement cryptographic verification of update packages and metadata to confirm authenticity before installation. Audit existing systems for indicators of compromise related to the Chrysalis backdoor, including unusual network connections or persistence mechanisms. Restrict execution privileges for auto-updater components and plugins to signed binaries only, as per the updated WinGUp design. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous behaviors associated with supply chain malware. Conduct network segmentation to limit lateral movement if compromise occurs. Regularly review and harden software supply chain security policies, including vetting of hosting providers and update infrastructure. Educate users about risks of installing software from unofficial sources. Finally, monitor threat intelligence feeds for updates on Lotus Panda activities and related indicators.