5 Critical Insights into the OceanLotus PyPI Supply Chain Attack Delivering ZiChatBot
In July 2025, security researchers uncovered a sophisticated supply chain attack on PyPI, the official Python package repository. Suspected to be linked to the notorious OceanLotus threat group (also known as APT32 or SeaLotus), this campaign employed three malicious wheel packages that secretly delivered a new malware family named ZiChatBot. Unlike typical malware, ZiChatBot avoids using a dedicated command-and-control server, instead hijacking the public REST APIs of the Zulip team chat application for communication. This article breaks down the five most important aspects of this attack, from the deceptive packages used to the unique C2 method and cross-platform capabilities.
1. Overview of the PyPI Supply Chain Attack
Beginning in July 2025, a series of harmful wheel packages were uploaded to PyPI, disguised as legitimate libraries. Researchers identified these packages during routine threat hunting and promptly shared their findings with the public security community, leading to their removal. Analysis using the Kaspersky Threat Attribution Engine (KTAE) pointed to possible connections with OceanLotus, a well-known advanced persistent threat (APT) group. The packages appeared to implement their described functions—such as generating UUIDs or handling colored terminal text—but their real purpose was to covertly drop malicious files. This attack is a textbook example of a PyPI supply chain compromise, targeting developers who unknowingly install the tainted packages, thereby giving attackers a foothold in their environments.
2. The Three Malicious PyPI Packages
The attacker created three projects on PyPI: uuid32-utils, colorinal, and termncolor. Each mimicked popular libraries to trick users. For instance, uuid32-utils claimed to generate a 32-character random UUID, while colorinal and termncolor offered cross-platform color terminal text and ANSI formatting. The packages were uploaded between July 16 and July 22, 2025, by accounts using laz****@tutamail.com and sym****@proton.me. The wheel files came in multiple variants—Windows x86, x64, and Linux x86_64—indicating a deliberate effort to infect both operating systems. The table below summarizes the metadata:
- uuid32-utils: pip install uuid32-utils, first uploaded 2025-07-16
- colorinal: pip install colorinal, first uploaded 2025-07-22
- termncolor: pip install termncolor, first uploaded 2025-07-22
All packages were designed to deliver the same ultimate payload: the ZiChatBot malware.
3. Cross-Platform Payloads: DLL and SO Files
A key feature of this campaign is its cross-platform capability. The malicious wheel packages serve as droppers that deposit either .DLL files (on Windows) or .SO shared libraries (on Linux). This means the attack can compromise developer workstations running either operating system. The presence of both library types in the same package suggests that the threat actors invested significant effort to maximize their reach. Once the dropper executes, it extracts the appropriate payload for the target platform and launches the ZiChatBot malware. This technique allows the attackers to infect a wide range of systems, from Windows laptops to Linux servers, all via a single PyPI package installation.
4. ZiChatBot's Unusual C2 Communication via Zulip REST APIs
ZiChatBot is not your typical malware. Instead of connecting to a dedicated command-and-control (C2) server, it uses the public REST APIs of Zulip, a popular team chat application. By leveraging legitimate services, the malware blends in with normal traffic and avoids detection by network security tools. The bot reads and writes messages to Zulip streams, using them as a covert channel to receive commands and exfiltrate data. This method is highly effective because Zulip's API endpoints are widely whitelisted and rarely flagged as malicious. The malware family was previously unknown and has been named ZiChatBot by researchers, highlighting the evolving tactics of threat actors like OceanLotus.
5. A Clever Deception: Benign Package Hiding Malicious Dependencies
To further conceal its malicious intent, the attacker employed a clever deception strategy. They created a benign-looking top-level package that included the actual malicious package (e.g., colorinal) as a dependency. When unsuspecting users installed the benign package via pip install, the dependency chain automatically pulled in the harmful wheel package as well. This layered approach makes detection even harder, as the initial package appears harmless and may even have legitimate functionality. The entire operation suggests careful planning and a deep understanding of PyPI's ecosystem. This attack underscores the importance of scrutinizing package dependencies and verifying the authenticity of open-source libraries before installation.
In conclusion, the OceanLotus-linked PyPI attack demonstrates a sophisticated blend of social engineering, supply chain compromise, and stealthy communication. By mimicking trusted libraries, targeting both Windows and Linux, and hijacking Zulip's APIs, the threat actors created a hard-to-detect malware delivery system. Developers and security teams must remain vigilant—check package metadata, inspect dependencies, and monitor for unusual network activity to Zulip endpoints. The removal of the malicious packages from PyPI was a swift response, but the lessons from this campaign will help fortify the open-source ecosystem against future attacks.