PyPI Supply Chain Attack Delivers Novel ZiChatBot Malware
PyPI Supply Chain Attack Delivers Novel ZiChatBot Malware
A recent cybersecurity investigation uncovered a sophisticated supply chain attack leveraging the Python Package Index (PyPI) to distribute a new malware strain, ZiChatBot, targeting both Windows and Linux environments. The malicious packages, since removed, disguised themselves as legitimate tools while secretly installing the malware.
Published: 2026-05-11 | Author: Patrick Mattos
Security researchers have identified a concerning trend in the open-source ecosystem, with three packages hosted on the Python Package Index (PyPI) found to be distributing a novel malware family dubbed ZiChatBot. This attack highlights the persistent threat of supply chain compromises, where trusted software repositories become vectors for malicious code. The malware, designed to operate stealthily, utilizes public APIs from the team chat application Zulip for its command-and-control (C2) infrastructure, circumventing traditional C2 detection methods.
The discovery, attributed to Kaspersky, details a carefully orchestrated campaign that injected malicious code into seemingly innocuous Python libraries. While the packages presented legitimate functionalities to unsuspecting users, their underlying purpose was to deploy ZiChatBot onto victim systems. The use of Zulip's REST APIs for C2 communication represents a novel evasion technique, making it more challenging for security teams to identify and block malicious network traffic.
The affected packages, though no longer available on PyPI, were uploaded within a narrow timeframe in July 2025. This coordinated effort underscores the planning involved in such attacks. The ZiChatBot malware's cross-platform capability, affecting both Windows and Linux, broadens its potential impact and necessitates a robust, multi-layered defense strategy for organizations relying on open-source components.
Technical Context
The ZiChatBot malware campaign employed a multi-stage approach to infect target systems. On Windows, upon installation of compromised packages like uuid32-utils or colorinal, a DLL dropper named terminate.dll was extracted and written to disk. When the malicious library was imported into a Python project, this DLL would load, acting as the initial dropper for ZiChatBot. The malware then established persistence by creating an auto-run entry in the Windows Registry and subsequently deleted itself from the host to obscure its presence.
For Linux systems, a shared object dropper, terminate.so, was deployed. This dropper would plant the malware in the /tmp/obsHub/obs-check-update directory and configure a crontab entry for persistence. Regardless of the operating system, ZiChatBot was designed to receive and execute shellcode from its C2 server. A unique aspect of its operation is the response mechanism: after executing a command, the malware sends a simple heart emoji ("❤️") back to the C2 server to confirm successful operation. This minimalistic communication pattern could make it harder to detect with standard network monitoring tools.
Impact and Risk
This PyPI supply chain attack poses a significant risk to developers and organizations that integrate third-party Python libraries into their workflows. The stealthy nature of ZiChatBot, coupled with its use of public APIs for C2, makes it particularly insidious. Organizations could unknowingly introduce this malware into their development pipelines, potentially leading to widespread compromise across their infrastructure. The direct impact could range from data exfiltration and system disruption to the use of compromised systems for further malicious activities. The cross-platform nature means both Windows and Linux servers and workstations are at risk.
Defensive Takeaways
Defending against such supply chain attacks requires a multi-faceted approach. Organizations should implement strict vetting processes for all third-party libraries, especially those pulled from public repositories like PyPI. This includes:
- Dependency Scanning: Regularly scan project dependencies for known malicious packages or suspicious code patterns.
- Software Bill of Materials (SBOM): Maintain an accurate SBOM to track all components and their origins.
- Least Privilege: Ensure applications and development environments run with the minimum necessary privileges to limit the impact of any compromise.
- Network Monitoring: Enhance network traffic analysis to detect unusual communication patterns, even those using public APIs, and look for the specific heart emoji response.
- Endpoint Detection and Response (EDR): Deploy robust EDR solutions capable of detecting suspicious file activity, registry modifications, and scheduled task creation.
- Code Review: For critical dependencies, consider performing manual code reviews or utilizing static analysis tools.
Geopolitical Context
While the source material does not provide definitive attribution, it notes that the dropper used in this campaign shares a notable similarity (64%) with a dropper previously associated with the Vietnam-aligned hacking group OceanLotus, also known as APT32. This group has a history of targeting various entities, including the cybersecurity community. In late 2024, APT32 was observed using poisoned Visual Studio Code projects to deliver trojans, leveraging the Notion note-taking service for C2. If this campaign is indeed linked to OceanLotus, it signifies a strategic expansion of their attack vectors, moving beyond traditional phishing to embrace more sophisticated supply chain compromises. This could indicate an effort to broaden their operational reach and impact.