Notepad++ Supply Chain Attack: A Deep Dive

here’s a breakdown of the recent supply chain attack targeting Notepad++ users, based on the provided text:

Timeline & Initial Compromise:

* Compromise: The Notepad++ website was compromised sometime before November 26, 2024.
* Redirection: Attackers used the compromised website to redirect users to malicious download links for a trojanized version of Notepad++. This continued until December 2, 2025, when access was revoked.
* Post-Incident: Notepad++ moved to a new hosting provider and rotated all credentials to improve security.

Malware breakdown:

The attack chain involved several components:

1. Initial Download: Users unknowingly downloaded “update.exe” from 95.179.213.0 after running Notepad++.
2. NSIS Installer: “update.exe” is a Nullsoft Scriptable Install System (NSIS) installer.
3. Key Components within the Installer:

* NSIS Installation Script: Standard component of NSIS installers.
* BluetoothService.exe: A renamed Bitdefender Submission Wizard used for DLL side-loading. This is a tactic commonly employed by Chinese hacking groups.
* BluetoothService: Encrypted shellcode, known as “Chrysalis.”
* log.dll: A malicious DLL loaded via side-loading to decrypt and execute the “Chrysalis” shellcode.

4. Chrysalis: A elegant, custom-built implant:

* Functionality: Gathers system facts and connects to a Command-and-Control (C2) server (“api.skycloudcenter[.]com”) for further instructions.
* Capabilities: The C2 server (currently offline) could perform actions like spawning shells, creating processes, file manipulation, uploading/downloading files, and self-uninstalling.

5. Additional Components:

* conf.c: Designed to load a Cobalt Strike beacon, utilizing Metasploit block API shellcode.
* ConsoleApplication2.exe: leverages Microsoft Warbird (an undocumented, internal code protection framework) to execute shellcode. This is based on a proof-of-concept published by Cirosec.

Attribution and Tactics:

* Attribution: Rapid7 attributes the attack to Lotus Blossom (also known as Billbug,Bronze Elgin,Lotus Panda,Raspberry Typhoon,Spring Dragon,and Thrip) based on similarities to previous campaigns. Symantec documented a similar attack by this group in April 2025 involving sideloading malicious DLLs using legitimate software (Trend Micro and Bitdefender).
* Tactics: The attacker demonstrates:
* Use of proven techniques like DLL side-loading and service persistence.
* Development of multi-layered shellcode loaders.
* Integration of undocumented system calls (NtQuerySystemInformation).
* A mix of custom malware (Chrysalis) and off-the-shelf frameworks (Metasploit, Cobalt Strike).
* Rapid adaptation of publicly available research (Warbird exploitation).

Targets & Infection Chains (Kaspersky Analysis):

* targets: Kaspersky identified targets in Vietnam, El Salvador, Australia, the Philippines (government organization), and Vietnam (IT service provider).
* Infection Chains: Attackers rotated C2 servers, downloaders, and payloads over a four-month period (July-October 2025) to evade detection.

Key Takeaways:

* This was a sophisticated supply chain attack leveraging a trusted software vendor (Notepad++).
* The attackers employed a complex malware ecosystem with multiple layers of obfuscation and evasion techniques.
* The use of publicly available research (Warbird PoC) demonstrates a willingness to rapidly adapt tactics.
* Attribution points towards the Lotus Blossom threat actor, known for targeted attacks and sophisticated techniques.

How was teh Notepad++ installation compromised by the Lotus Blossom attack?

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

The popular source code editor, Notepad++, recently experienced a meaningful security breach impacting its hosting infrastructure. Investigations strongly suggest the attack was carried out by the china-linked threat actor known as Lotus Blossom (also referred to as APT41, Wicked Panda, and Double Dragon). this incident highlights the growing sophistication of supply chain attacks and the importance of robust cybersecurity measures, even for seemingly innocuous software projects.

Timeline of the Attack & initial Findings

The breach, publicly disclosed in late January 2026, centered around the compromise of Notepad++’s official website and potentially, its build systems. Initial reports indicated unauthorized modifications to the installer files, raising concerns about the distribution of malware to unsuspecting users.

Here’s a breakdown of the key events:

* January 24, 2026: Anomalous activity detected on Notepad++’s web server.

* January 26, 2026: Evidence of malicious code injected into the installer package. The compromised installer was available for a limited time before being identified and removed.

* January 27, 2026: Notepad++ developers confirmed the breach and initiated a full inquiry, collaborating with cybersecurity experts.

* February 2, 2026: Attribution to the Lotus Blossom hacking group was widely reported, based on forensic analysis of the malware and attack infrastructure.

Lotus Blossom: A Profile of the Threat Actor

Lotus Blossom is a prolific and versatile threat actor with a history of targeting a wide range of industries, including gaming, software development, travel, and telecommunications. They are known for a blend of state-sponsored espionage and financially motivated cybercrime.

Key characteristics of Lotus Blossom’s tactics, techniques, and procedures (TTPs) include:

* Supply Chain Attacks: targeting software vendors to distribute malware to a large user base. This Notepad++ incident is a prime example.

* Living off the Land: Utilizing legitimate system tools and processes to evade detection.

* Custom Malware: Developing and deploying unique malware families tailored to specific targets.

* Elegant Social Engineering: employing convincing phishing campaigns to gain initial access.

* Long-Term persistence: Maintaining access to compromised systems for extended periods.

technical Details of the Compromise

The malicious installer contained a backdoor that allowed attackers to gain remote access to infected systems. While the exact payload varied, analysis revealed capabilities for:

* Data Exfiltration: Stealing sensitive information, including credentials, source code, and intellectual property.

* Remote Code Execution: Executing arbitrary commands on compromised machines.

* Lateral Movement: Spreading to other systems within the network.

* Establishing Persistence: Ensuring continued access even after system restarts.

The attackers reportedly exploited a vulnerability in the web server software,gaining access to the build surroundings and modifying the installer files. The specific vulnerability remains undisclosed to prevent further exploitation.

Impact Assessment & Mitigation Strategies

The potential impact of this breach is significant. Notepad++ is widely used by developers, system administrators, and IT professionals worldwide. A compromised installation could lead to:

* Intellectual Property Theft: Loss of valuable source code and proprietary information.

* System Compromise: Full control of infected systems by attackers.

* Data Breaches: Exposure of sensitive data,including customer information and financial records.

* Reputational Damage: Loss of trust in Notepad++ and its developers.

Mitigation steps for users:

1. Download from official Sources: Always download Notepad++ directly from the official website (https://notepad-plus-plus.org/).
2. Verify File Integrity: Check the SHA-256 hash of the downloaded installer against the official hash published on the Notepad++ website. This ensures the file hasn’t been tampered with.
3. Run Antivirus Scans: Scan the downloaded installer with a reputable antivirus program before installation.
4. Keep Software Updated: Regularly update Notepad++ to the latest version to patch security vulnerabilities.
5. Implement Network Segmentation: Isolate critical systems from the internet and other networks to limit the impact of a potential breach.
6. Monitor System Activity: Implement robust monitoring and logging to detect suspicious activity.

The Broader Implications for Open-source Software

This incident serves as a stark reminder of the vulnerabilities inherent in the software supply chain. Open-source projects, while frequently enough benefiting from community contributions, can be attractive targets for attackers due to limited resources and potentially weaker security practices.

The rise of supply chain attacks necessitates a shift towards more secure software development practices, including:

* Secure Coding Standards: Implementing rigorous coding standards to minimize vulnerabilities.

* Regular Security Audits: Conducting regular security audits and penetration testing.

* Dependency Management: Carefully managing third-

What information is available about the examination into the crash of the Europa XS aircraft G‑CFLY near Littleborough?

Light Aircraft Crash in Littleborough Leaves Two Missing

Littleborough, UK – February 3, 2026 – A light aircraft crashed in a wooded area near Littleborough, Greater Manchester, earlier today, prompting a large-scale search and rescue operation. Authorities have confirmed two individuals are currently missing and presumed to be the occupants of the aircraft.

Incident Details & Initial Reports

The aircraft, a single-engine europa XS kit plane registered as G-CFLY, was reported missing at approximately 10:15 GMT after losing contact with air traffic control. Witnesses reported hearing a loud bang and seeing smoke rising from the wooded area near Blackstone Edge. Emergency services, including Greater Manchester Police, the North West Ambulance Service, and the Mountain Rescue teams, were instantly dispatched to the scene.

The plane had departed from Barton Aerodrome near Manchester, with a planned destination of Caernarfon airport in wales. The purpose of the flight is currently under investigation.

Search and Rescue Operations

The search area is challenging,consisting of dense woodland and difficult terrain. Mountain Rescue teams are utilizing specialist equipment, including drones with thermal imaging capabilities, to locate the missing individuals.

* Ground Search: Teams are systematically searching the crash site and surrounding areas, focusing on debris fields and potential impact zones.

* Aerial Support: Helicopters are providing aerial reconnaissance, assisting in mapping the search area and identifying potential clues.

* Specialist Teams: Dog units trained in locating human remains are also involved in the operation.

The Civil Aviation Authority (CAA) has been notified and is assisting with the investigation.A no-fly zone has been established over the crash site to allow emergency services to operate safely.

Aircraft Information: Europa XS Kit Planes

The Europa XS is a popular choice for homebuilders, known for it’s relatively simple construction and good performance. However, like all kit-built aircraft, it requires meticulous assembly and ongoing maintenance.

* Construction: These aircraft are typically built from kits, meaning the owner is responsible for a significant portion of the assembly process.

* Maintenance: Regular inspections and adherence to maintenance schedules are crucial for ensuring flight safety.

* Pilot Requirements: Pilots of Europa XS aircraft require appropriate licenses and ratings for single-engine aircraft.

Previous Incidents & Safety Concerns

While the Europa XS has a generally good safety record, there have been previous incidents involving this type of aircraft. A review of aviation safety databases reveals several minor incidents related to engine failures and control issues. The CAA regularly issues Airworthiness Directives (ADs) to address potential safety concerns with specific aircraft types, including the Europa XS. It is currently unkown if any outstanding ADs were applicable to G-CFLY.

Local Impact & Community Response

The incident has understandably caused concern within the Littleborough community. Blackstone Edge is a popular walking and recreation area, and the crash site is close to several public footpaths. Authorities have urged members of the public to avoid the area while search operations are ongoing.

local residents have expressed their sympathy for the missing individuals and their families. Several community groups have offered assistance to emergency services, providing food and support.

Ongoing Investigation

The Air Accidents Investigation Branch (AAIB) has launched a full investigation into the cause of the crash. Investigators will examine the wreckage,analyze flight data (if available),and interview witnesses to determine the sequence of events leading to the incident.

Key areas of investigation will include:

1. Mechanical Failure: A thorough inspection of the aircraft’s engine, flight controls, and other critical systems.
2. Pilot Error: Review of the pilot’s experience, training, and any potential contributing factors.
3. Whether Conditions: Analysis of weather reports and conditions at the time of the flight.
4. Air Traffic Control Communications: Examination of dialog logs between the pilot and air traffic control.

Updates will be provided as the search and investigation progress. Anyone with information that may assist the investigation is urged to contact Greater Manchester Police.