EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

Notepad++ update infrastructure hijacked to deliver “chrysalis” backdoor (lotus blossom)

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-02-02 08:55 UTCUpdated 2026-02-03 04:55 UTC
rss
supply_chainmalwareaptsoftware_updatesincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (7)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.
4 top sources shown
Notepad++ hijacked by suspected state-sponsored hackers
The Record (Recorded Future News) · News · therecord.media · 2026-02-02 14:00 UTC
View all evidence
Overview

A suspected state-linked actor compromised infrastructure used to deliver Notepad++ updates, enabling selective redirection of update traffic and delivery of a newly documented backdoor (“Chrysalis”). Reporting emphasizes the intrusion occurred at the hosting/update-delivery layer rather than via a flaw in Notepad++ source code, and subsequent coverage centers on attribution to the China-linked Lotus Blossom cluster and the technical characteristics of the implant and loaders.

Entities
Rapid7Notepad++Rapid7 MDRRapid7 LabsDon Ho
Score total
1.78
Momentum 24h
7
Posts
7
Origins
5
Source types
1
Duplicate ratio
0%
Why now
  • Rapid7 published a detailed technical analysis and attribution assessment
  • Maintainer disclosure and follow-on media coverage raised defender awareness
  • Multiple outlets amplified indicators of a targeted supply-chain intrusion
Why it matters
  • Update-path compromise can deliver malware via a trusted distribution channel
  • Selective targeting suggests focused victim selection vs broad spray-and-pray
  • New backdoor tooling increases detection and response complexity
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • Attackers hijacked Notepad++’s update mechanism via an infrastructure/hosting compromise, not a source-code flaw in the editor.
  • The compromise enabled redirecting update traffic for select users and delivering malware/backdoor payloads.
  • Rapid7 attributes the activity with medium confidence to the China-linked Lotus Blossom group and names the backdoor “Chrysalis.”
How sources frame it
  • Rapid7: neutral
  • The Record: neutral
  • The Hacker News: neutral
Consolidated multiple reports and Rapid7 technical write-up into a single supply-chain narrative; attribution kept at stated confidence.
All evidence
All evidence
Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
thehackernews · thehackernews.com · 2026-02-03 04:55 UTC
Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor
theregister_security · go.theregister.com · 2026-02-02 23:23 UTC
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
Rapid7 Blog · rapid7.com · 2026-02-02 15:49 UTC
Notepad++ hijacked by suspected state-sponsored hackers
The Record (Recorded Future News) · therecord.media · 2026-02-02 14:00 UTC
Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
SecurityWeek · securityweek.com · 2026-02-02 09:18 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
  • thehackernews (1)
  • theregister_security (1)
  • Rapid7 Blog (1)
  • The Record (Recorded Future News) (1)
  • SecurityWeek (1)
Top origin domains (this list)
  • thehackernews.com (1)
  • go.theregister.com (1)
  • rapid7.com (1)
  • therecord.media (1)
  • securityweek.com (1)