# Three Malicious PyPI Packages Deliver ZiChatBot Malware to Windows and Linux Systems


Cybersecurity researchers at Kaspersky have uncovered a sophisticated supply chain attack targeting developers through the Python Package Index (PyPI). Three seemingly legitimate packages are actively distributing ZiChatBot, a previously unknown malware family designed to compromise both Windows and Linux systems. The packages use legitimate features as cover while secretly deploying malicious payloads through compromised Zulip API integration.


## The Threat


ZiChatBot represents a new entry in the growing ecosystem of development-focused malware families. Unlike generic information stealers, this malware specifically targets developer environments and leverages collaboration tools—in this case, Zulip, an open-source team chat platform—to establish command and control (C2) channels.


The malware's capabilities include:


  • Multi-platform support – functional payloads for both Windows and Linux systems
  • Zulip API abuse – using legitimate chat APIs to receive commands and exfiltrate data
  • Covert delivery – bundled within packages that function normally to avoid immediate detection
  • Persistence mechanisms – designed to maintain access across system reboots

    • What makes ZiChatBot particularly dangerous is its use of legitimate collaboration infrastructure. By leveraging Zulip's public API, attackers avoid the need for traditional command-and-control servers that are easier to detect and shut down.


    ## Technical Details: How the Attack Works


    ### Package Masquerading


    The three malicious packages on PyPI were disguised as legitimate utilities, implementing actual features to avoid raising suspicion during code review or basic testing. This dual-purpose design is a hallmark of sophisticated supply chain attacks—the packages work as advertised while simultaneously executing malicious code.


    Attack Flow:


    | Stage | Action |

    |-------|--------|

    | 1. Installation | Developer installs package via pip install |

    | 2. Execution | Legitimate package features initialize normally |

    | 3. Payload Delivery | Malware binary is extracted and executed in background |

    | 4. C2 Registration | Malware contacts Zulip instance to register and receive commands |

    | 5. Persistence | Malware establishes persistence mechanisms |

    | 6. Exfiltration | Stolen data (credentials, source code, keys) sent to attacker |


    ### Zulip API Exploitation


    Rather than connecting to traditional C2 infrastructure, ZiChatBot uses the Zulip REST API to communicate with attackers. This approach provides several advantages:


  • Legitimacy – API calls blend in with normal Zulip traffic
  • Resilience – if one Zulip instance is shut down, attackers can easily switch to another
  • Obfuscation – API calls are encrypted over HTTPS and difficult to distinguish from legitimate use
  • Scalability – attackers can manage multiple infected systems through a single Zulip workspace

    • ## Background and Context


    ### Why PyPI Remains a Lucrative Target


    The Python Package Index hosts over 500,000 packages and serves millions of developers daily. While PyPI has implemented security measures (two-factor authentication, package signing), the platform's open nature and minimal code review barriers make it an attractive vector for attackers.


    Recent incidents demonstrate this trend:


  • 2023: XZ Utils backdoor nearly compromised Linux systems through a popular compression library
  • 2024-2025: Multiple campaigns using typosquatting and package name confusion to deliver info-stealers
  • Ongoing: Cryptocurrency miners, data-harvesting tools, and botnet payloads regularly discovered in PyPI packages

    • ### The Rise of Development-Targeted Malware


    Unlike traditional malware targeting end-users, development-focused attacks offer attackers:


    1. Elevated system access – developers often run tools with high privileges

    2. Access to valuable data – source code, API keys, credentials stored in development environments

    3. Supply chain leverage – compromising a developer's machine can provide entry to organization networks

    4. Limited security scrutiny – development environments typically have fewer security controls than production systems


    ## Implications for Organizations


    ### Immediate Risks


    Organizations using affected packages face several threats:


  • Credential theft – SSH keys, API tokens, and cloud credentials stored in development environments
  • Source code exposure – proprietary code and intellectual property exfiltrated
  • Lateral movement – attackers using developer access to penetrate organizational networks
  • Build pipeline compromise – malware potentially injected into compiled binaries and released to customers

    • ### Supply Chain Contamination


    If an affected developer's machine has access to CI/CD systems or code repositories, attackers could inject malicious code upstream. This means the threat extends beyond the initial victim to downstream users of software built on infected systems.


    ### Detection Challenges


    ZiChatBot's use of Zulip APIs makes traditional network monitoring less effective. Organizations may observe HTTPS traffic to legitimate Zulip domains and incorrectly assume the activity is benign.


    ## Recommendations


    ### For Developers and Individual Systems


  • Audit installed packages – review your Python environment for the affected packages (Kaspersky has published specific names)
  • Regenerate credentials – assume any API keys, SSH keys, or passwords stored on affected systems have been compromised; rotate them immediately
  • Check source code repositories – monitor Git history for unexpected commits or changes from your development accounts
  • Update PyPI security settings – enable two-factor authentication and review authorized applications

    • ### For Organizations


    1. Inventory Python dependencies – identify all packages your organization depends on, either directly or transitively

    2. Implement software composition analysis (SCA) – deploy tools that automatically scan dependencies for known vulnerabilities and suspicious packages

    3. Enforce package signing – require cryptographic verification of package integrity before installation

    4. Monitor Zulip traffic – if your organization uses Zulip, monitor API calls for unusual patterns or unauthorized access

    5. Conduct forensic analysis – if ZiChatBot was installed on any systems, perform comprehensive forensic investigation to identify compromised credentials and data exfiltration

    6. Review code repositories – audit Git logs for unexpected changes or commits from potentially compromised developer accounts

    7. Implement zero-trust in development – treat development networks with the same security rigor as production; don't assume internal systems are automatically trustworthy


    ### For PyPI and Package Maintainers


  • Strengthen package review processes – implement automated static analysis to detect suspicious code patterns
  • Require verified publisher identity – demand proof of identity for high-risk packages
  • Implement package signing standards – move toward mandatory cryptographic signatures
  • Improve malware detection – partner with security vendors to scan packages at upload time

    • ## Looking Forward


    The ZiChatBot campaign underscores a critical vulnerability in the open-source ecosystem: convenience and trust are often inversely proportional to security. Developers rely on package managers for rapid deployment, but this speed creates opportunities for attackers to slip malicious code into the supply chain.


    While the specific campaign has been identified and takedown actions initiated, the underlying vulnerabilities remain. The integration of development tools into attacker infrastructure—using legitimate APIs and collaboration platforms—represents an evolution in supply chain attacks that organizations will need to adapt to prevent.


    The key takeaway: verify the packages you install, monitor the environment where development occurs with the same rigor applied to production systems, and maintain cryptographic audit trails of all code changes and deployments.