PyPI Packages Deliver ZiChatBot Malware to Windows and Linux
Three malicious packages identified on the Python Package Index (PyPI) repository are actively deploying a new malware family, ZiChatBot, targeting both Windows and Linux systems. The Hacker News reports that these packages, while appearing to offer legitimate functionalities as described on their PyPI pages, are designed for covert delivery of malicious payloads. This sophisticated approach allows the malware to infiltrate systems under the guise of useful developer tools.
This incident highlights a critical supply chain risk within open-source ecosystems. Attackers are increasingly leveraging popular repositories like PyPI to distribute sophisticated malware, banking on developers’ trust and rapid adoption of new packages. ZiChatBot’s ability to operate across both Windows and Linux makes it a versatile threat, capable of impacting a broad range of development and production environments.
SCW advises immediate scrutiny of all recently installed PyPI packages. Defenders must implement robust software supply chain security practices, including integrity checks and sandboxing for new dependencies. Simply relying on a package’s listed features is no longer sufficient; assume compromise and verify everything.
What This Means For You
- If your development teams or CI/CD pipelines consume PyPI packages, you need to audit your dependencies for newly introduced or updated packages. Specifically, look for any unusual network activity or process execution originating from Python environments on both Windows and Linux hosts. This isn't theoretical; ZiChatBot is actively in the wild, leveraging a trusted developer resource.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Suspicious PyPI Package Installation - ZiChatBot Malware
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| ZiChatBot-Malware | Malware Delivery | PyPI package: 'py-zcs-cffi' |
| ZiChatBot-Malware | Malware Delivery | PyPI package: 'py-zcs-windows-amd64' |
| ZiChatBot-Malware | Malware Delivery | PyPI package: 'py-zcs-linux-x86-64' |
| ZiChatBot-Malware | Malware | Malware family: ZiChatBot |
| ZiChatBot-Malware | Affected System | Operating Systems: Windows, Linux |
Written by SCW Vulnerability Desk
Related coverage on
North Korean APT37 Targets Ethnic Koreans in China with BirdCall Malware
North Korean state-sponsored threat group APT37 (aka ScarCruft or Reaper) is actively targeting ethnic Koreans residing in China. The campaign leverages Android malware dubbed ‘BirdCall’,...
Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices
A new Mirai-derived botnet, self-identifying as xlabs_v1, is actively exploiting internet-exposed devices running Android Debug Bridge (ADB), according to The Hacker News. This botnet aims...
vm2 Sandbox Bug: Critical RCE Allows Host System Takeover
A critical vulnerability identified in the popular Node.js sandboxing library vm2 allows attackers to escape the sandbox and execute arbitrary code on the host system....