Find notable cyber news and cases, enriched with sources, timelines, and signals.

Zc.buildout bootstrap.py domain-takeover risk security flaw

Vulnerability
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Legacy zc.buildout bootstrap.py files in multiple PyPI packages still reach python-distribute[.]org, creating a supply-chain compromise risk if the domain is taken over. The script can fetch and execute distribute_setup.py, so a developer who runs it could pull attacker-controlled code into the build path. Affected packages named in the disclosure include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures.

Related Happenings

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
H score45 First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
H score44 First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception

Threat Actor Meta
H score42 First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: **Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...

Timeline

  1. 28.11.2025 18:27 2 articles · 7mo ago

    ReversingLabs identifies legacy zc.buildout bootstrap risk

    Initial Disclosure

    ReversingLabs identified legacy zc.buildout bootstrap.py files in PyPI packages that still reference python-distribute[.]org and can download and execute distribute_setup.py, leaving a hard-coded external dependency that could be abused through a domain takeover. The named packages include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures, and slapos.core and Tornado development or maintenance versions still ship the vulnerable code.

    Show sources