PyPI: three packages delivered ZiChatBot malware via Zulip API on Windows and Linux

Colleagues, a cybersecurity alert: three PyPI packages were found secretly delivering the ZiChatBot malware via the Zulip REST API.
• Found: uuid32-utils, colorinal, termncolor (removed from PyPI).
• Behavior: Windows — drops terminate.dll and registers persistence in the registry; Linux — drops terminate.so to /tmp/obsHub/obs-check-update and adds a cron job.
• C2 and artifacts: controlled via public Zulip API; executes shellcode and replies with a “heart”. Kaspersky notes ~64% similarity to OceanLotus dropper.
Why it matters: supply‑chain attacks on PyPI can impact projects—verify dependencies and monitor autostart/cron.
How do you validate package supply chains in your projects?
#cybersecurity #supplychain #PyPI #Python


Latest comments
No comments yet.