From domaintools.com
In late 2025 and early 2026, a series of independent disclosures by software maintainers, security researchers, and national cyber authorities converged on an unsettling conclusion: for months, the update mechanism of one of the world’s most widely used open-source text editors had been quietly subverted. What initially appeared to be an isolated infrastructure anomaly was ultimately revealed to be a sustained compromise of the Notepad++ update pipeline, stretching back roughly six months. As investigators reconstructed the timeline, tracking unauthorized access to hosting infrastructure, lingering credentials that outlived initial remediation, and selectively altered update responses, a far more deliberate operation came into focus. This report is the product of analysis and parallel reconstruction of all public reporting on Lotus Blossom with additional research by DTI, drawing together technical forensics, victimology, and strategic context to assess both the campaign and the actor behind it.