Zc.buildout bootstrap.py domain-takeover risk security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Legacy zc.buildout bootstrap.py files in multiple PyPI packages still reach python-distribute[.]org, creating a supply-chain compromise risk if the domain is taken over. The script can fetch and execute distribute_setup.py, so a developer who runs it could pull attacker-controlled code into the build path. Affected packages named in the disclosure include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures.
Related Happenings
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
H score45
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
H score44
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor Meta
H score42
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
**Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...
Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor MetaAbout this happening: **Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...
Timeline
-
28.11.2025 18:27 2 articles · 7mo ago
ReversingLabs identifies legacy zc.buildout bootstrap risk
Initial DisclosureReversingLabs identified legacy zc.buildout bootstrap.py files in PyPI packages that still reference python-distribute[.]org and can download and execute distribute_setup.py, leaving a hard-coded external dependency that could be abused through a domain takeover. The named packages include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures, and slapos.core and Tornado development or maintenance versions still ship the vulnerable code.
Show sources
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27
- Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages — thehackernews.com — 28.11.2025 18:27