Breaking News: The OceanLotus advanced persistent threat (APT) group is suspected of orchestrating a covert supply chain attack on the Python Package Index (PyPI), using malicious wheel packages to deliver a previously unknown malware strain dubbed ZiChatBot, cybersecurity researchers warned Thursday.
The attack, active since July 2025, involved three fake libraries that mimicked popular tools—uuid32-utils, colorinal, and termncolor—to trick developers into downloading trojanized code, according to an analysis by Kaspersky.
“This campaign is a carefully planned and executed PyPI supply chain attack, leveraging legitimate-looking packages to distribute novel malware that uses a public chat app for command and control,” said a Kaspersky threat researcher, speaking on condition of anonymity due to the ongoing investigation.
Background
PyPI is the official third-party software repository for the Python programming language, used by millions of developers worldwide. Supply chain attacks on such platforms have surged in recent years, as they allow attackers to compromise downstream users via a single malicious upload.
OceanLotus (also tracked as APT32 or SeaLotus) is a Vietnamese state-sponsored threat group known for targeting media, manufacturing, and government entities. The group has previously used sophisticated malware and social engineering campaigns.
The newly discovered ZiChatBot malware stands out because it avoids traditional command-and-control servers. Instead, it abuses the REST APIs of Zulip, an open-source team chat application, to receive instructions and exfiltrate data.
Technical Details
The attackers uploaded three malicious wheel packages starting July 16, 2025. The first, uuid32-utils, purported to generate random UUIDs. The other two—colorinal and termncolor—claimed to provide cross-platform color terminal output.
All packages contained hidden dropper functionality. When installed, they delivered either a DLL (on Windows) or a shared object (SO on Linux) payload that ultimately executed ZiChatBot. The malware targets both operating systems.
“These packages implement the features described on their PyPI pages, but their true purpose is to covertly deliver malicious files,” the researcher explained. “It's a classic Trojan horse tactic, but executed with high precision.”
To further obfuscate the attack, the adversary created a benign-looking package that included the malicious library as a dependency, increasing the chances of accidental installation by unsuspecting developers.
What This Means
This attack underscores the growing sophistication of supply chain threats in open-source ecosystems. Developers and enterprises that rely on PyPI packages must verify the integrity and provenance of all dependencies, especially those updated after July 2025.
The use of Zulip APIs as a communication channel makes ZiChatBot difficult to detect using traditional network monitoring, since traffic appears to be legitimate chat application data. Security teams should implement behavior-based detection rules and monitor for unusual API calls to Zulip endpoints.
“Organizations should treat every package as a potential risk,” the researcher added. “Automated scanning alone is not enough; manual code review and dependency pinning are critical to mitigate such threats.”
The malicious packages have been removed from PyPI, but downstream users who installed them earlier may remain compromised. Kaspersky recommends immediate scanning for ZiChatBot indicators of compromise (IoCs) and rotating any credentials exposed to affected systems.
This is a developing story. More details are expected as attribution analyses continue.