Kaspersky researchers have reported a suspected OceanLotus campaign that used malicious PyPI packages to deliver a backdoor they track as ZiChatBot. The important detail for developers is that the lure did not need a fake installer or phishing email once the package was trusted: a normal package install could bring in code that prepared the host for command-and-control activity. The same supply-chain logic applies to CI/CD tooling: a later Checkmarx Jenkins plugin compromise showed how a trusted developer integration can expose source code and build secrets when the update path is poisoned.
A newer Mini Shai-Hulud npm campaign shows the same issue at larger scale: dependency trust breaks down fastest on machines that also hold GitHub, package-registry, cloud, and CI credentials.
The packages named in the report include uuid32-utils, colorinal, and termncolor. They were presented as small utility modules, which is exactly what makes this supply-chain pattern dangerous. A developer may add a helper dependency to test a script, copy it into a build container, or run it on a workstation that already has repository tokens, SSH keys, browser sessions, cloud credentials, and internal package registry access.
What developers should check now
Kaspersky describes ZiChatBot as a Python backdoor that can run on both Windows and Linux and uses Zulip-based communication for its control channel. That matters because defenders should not search only for a Windows executable. The more useful triage path is to inspect recent Python environments, build logs, virtualenvs, container layers, and dependency lockfiles for the named packages, then check whether any developer machine made unusual outbound connections shortly after installation.
If one of the packages was installed, treat the event as a developer-environment compromise, not as a harmless bad dependency. Remove the package, preserve the environment for review, rotate tokens that were present on the host, check SSH keys and package registry credentials, and review CI/CD secrets exposed through local configuration files. The highest-risk machines are developer laptops and build runners because they often bridge source code, credentials, and release pipelines.
This campaign fits the same pattern Gridinsoft has covered in PyPI typosquatting outbreaks, malicious PyPI packages targeting crypto wallets, and AI-assisted dependency confusion risks. The defensive habit is specific: pin dependencies, review new packages before adding them to shared projects, mirror approved packages where possible, and alert on newly introduced dependencies that appear in production builds without code review.
The main false assumption is that “small” packages are low risk. In practice, utility packages are attractive because they need few permissions to run, are easy to miss in reviews, and can execute in environments where authentication material already exists. For teams using Python in automation, a dependency inventory is now part of incident response, not just software hygiene.
Related update: Linux developer environments are also being targeted directly. Trend Micro has reported QLNX, a Linux Quasar RAT variant that steals developer and cloud credentials through persistence, rootkit-style hiding, and PAM backdoor access. Read Gridinsoft’s report on QLNX RAT targeting Linux credentials.
This is part of a broader developer supply-chain pattern: a newer fake OpenAI Hugging Face repo used model-hub trust in the same way malicious packages abuse package-manager trust.
References
- Kaspersky Securelist, “OceanLotus suspected campaign delivers malware via PyPI packages,” May 8, 2026. Analysis
