Signal
Notepad++ update delivery hijacked in targeted supply-chain intrusion
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-02-02 08:55 UTCUpdated 2026-02-02 15:49 UTC
rss
supply_chainsoftware_updatesmalwareaptchina_attributionincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
Notepad++ maintainers and multiple security outlets report a targeted compromise of the project’s update delivery infrastructure, enabling attackers to intercept and redirect update traffic to malicious servers for select users.
Entities
Rapid7SecurityWeekNotepad++ChrysalisDon Ho
Score total
1.58
Momentum 24h
5
Posts
5
Origins
5
Source types
1
Duplicate ratio
0%
Why now
- Maintainer and outlets disclosed the update-redirect compromise and scope
- Rapid7 published technical analysis of the “Chrysalis” backdoor tied to the incident
- Multiple reports indicate the compromise persisted for months before being shut down
Why it matters
- Update-channel compromise can bypass user trust and deliver malware at scale
- Infrastructure-level attacks can evade code-review and repo integrity controls
- Targeted delivery suggests espionage-style victim selection, not broad spray
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- Notepad++’s update mechanism/infrastructure was hijacked to redirect update traffic and deliver malicious content to select users.
- The compromise was infrastructure-level (hosting/update delivery) rather than a flaw in Notepad++ source code.
- Rapid7 attributes the campaign to the Chinese APT group Lotus Blossom and reports a new custom backdoor dubbed “Chrysalis.”
How sources frame it
- The Record: neutral
- The Hacker News: neutral
- SecurityWeek: supportive
- Rapid7: supportive
Multiple outlets report a targeted supply-chain compromise of Notepad++ update infrastructure, with Rapid7 linking the incident to a China-attributed espionage toolkit and a new backdoor dubbed “Chrysalis.”
All evidence
All evidence
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
Rapid7 Blog · rapid7.com · 2026-02-02 15:49 UTC
Notepad++ hijacked by suspected state-sponsored hackers
The Record (Recorded Future News) · therecord.media · 2026-02-02 14:00 UTC
Notepad++ update service hijacked in targeted state-linked attack
The Register Security · go.theregister.com · 2026-02-02 13:19 UTC
Notepad++ Supply Chain Hack Conducted by China via Hosting Provider
SecurityWeek · securityweek.com · 2026-02-02 09:18 UTC
Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
The Hacker News · thehackernews.com · 2026-02-02 08:55 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- Rapid7 Blog (1)
- The Record (Recorded Future News) (1)
- The Register Security (1)
- SecurityWeek (1)
- The Hacker News (1)
Top origin domains (this list)
- rapid7.com (1)
- therecord.media (1)
- go.theregister.com (1)
- securityweek.com (1)
- thehackernews.com (1)