Notepad++ Supply Chain Attack: Security Tool Released to Detect Lotus Blossom's Chrysalis Backdoor

A new PowerShell script has emerged, offering a quick way to check Windows machines for signs of compromise stemming from the Notepad++ supply chain attack that occurred between June and December 2025. This attack, attributed to the Lotus Blossom APT (Advanced Persistent Threat), involved hijacking the Notepad++ update mechanism to distribute the Chrysalis backdoor to unsuspecting users.

The script, designed for read-only operation to prevent unintended system modifications, scans for specific indicators of compromise (IoCs) associated with the Chrysalis backdoor. A successful scan, indicated by an exit code of 0, signifies that none of the known static indicators were found. Conversely, an exit code of 1 or higher indicates the presence of one or more alerts, suggesting a potential compromise.

It is crucial to understand the limitations of this script. As explicitly stated by its developers, it is intended as a rapid triage tool and only checks for known, published IoCs. It does not perform memory scans, detect behavioral patterns, or serve as a replacement for comprehensive Endpoint Detection and Response (EDR) or antivirus (AV) solutions. Therefore, a clean result from the script does not guarantee the complete absence of compromise.

This type of supply chain attack highlights the increasing sophistication and potential impact of modern cyber threats. By compromising widely used software like Notepad++, attackers can gain access to a vast number of systems and organizations. The Lotus Blossom APT's targeting of the Notepad++ update infrastructure demonstrates the importance of robust security measures across the entire software supply chain, from development to distribution.

The Notepad++ vulnerability was addressed in version 8.8.9, released in December 2025. Users who have not updated to this version or later are strongly advised to do so immediately. For organizations with heightened security concerns or reason to believe they were specifically targeted, a more thorough investigation using a full-fledged endpoint security tool and consultation with an incident response team is highly recommended. The IoCs used in the script are sourced from Rapid7 Labs, a well-respected security research organization.

The release of this script provides a valuable tool for security professionals to quickly assess their environments for potential compromise related to the Notepad++ attack. However, it is essential to remember that it is only one piece of a comprehensive security strategy and should be used in conjunction with other security measures and expert guidance.