Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ZiChatBot PyPI supply-chain malware delivery

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

A PyPI supply-chain attack used three packages to quietly deliver ZiChatBot, creating a cross-platform malware risk for Windows and Linux installs. The packages were uploaded between July 16 and 22, 2025 and later removed from the repository. On Windows, the loader writes terminate.dll and adds a Registry auto-run entry; on Linux, it drops terminate.so and sets crontab persistence. The malware uses Zulip REST APIs for C2, reducing reliance on a traditional command-and-control server.

Related Happenings

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Telnyx package WAV-hidden credential-stealing malware

Malware Activity
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...

Open Happening

Telnyx Python package hit by data theft breach

Incident
First: 27.03.2026 18:53 Last: 27.03.2026 18:53 Sources 1

About this happening: The **telnyx** Python package was **compromised on PyPI** with **4.87.1** and **4.87.2**, exposing downstream importers to **credential theft** and **data exfiltration**. The mali...

Open Happening

Telnyx malicious payload stealer delivered via WAV files

Malware Activity
First: 27.03.2026 18:53 Last: 27.03.2026 18:53 Sources 1

About this happening: **TeamPCP** pushed a **malicious telnyx package payload** that turns package import into **credential harvesting** and **encrypted exfiltration** across **Windows, Linux, and macO...

Open Happening

Lazarus Group graphalgo recruitment-themed package campaign

Campaign
First: 12.02.2026 18:55 Last: 12.02.2026 18:55 Sources 1

About this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...

Open Happening

Timeline

  1. 07.05.2026 12:20 2 articles · 20d ago

    Researchers disclose PyPI packages delivering ZiChatBot

    Initial Disclosure

    Cybersecurity researchers identify three PyPI packages, uuid32-utils, colorinal, and termncolor, that covertly deliver the ZiChatBot malware family on Windows and Linux. The malicious loaders drop terminate.dll or terminate.so, establish Windows Registry auto-run or crontab persistence, and use Zulip REST APIs as C2 instead of a dedicated command-and-control server; Kaspersky also says the dropper is 64% similar to tooling associated with OceanLotus (APT32).

    Show sources
    Open in new tab