PyPI Supply Chain Attack: ZiChatBot Malware Delivered via Zulip APIs on Linux & Windows

Introduction

Security researchers have identified a sophisticated supply chain attack targeting the Python Package Index (PyPI). Three malicious packages have been discovered delivering a previously undocumented malware family, ZiChatBot. While these packages masquerade as legitimate libraries, their primary function is the covert delivery of malicious payloads capable of establishing persistence and remote control on both Windows and Linux systems.

This attack highlights a critical risk for DevOps and engineering teams relying on open-source repositories. The abuse of legitimate Zulip Chat APIs for Command and Control (C2) communications allows the malware to blend in with normal web traffic, bypassing standard egress filtering. Defenders must immediately audit their Python environments for these packages and hunt for anomalous connections to Zulip infrastructure.

Technical Analysis

Affected Products: Python environments on Windows and Linux systems.
Threat Vector: Typosquatting and dependency confusion on PyPI. Users install the malicious package via pip install, triggering the execution of malicious code embedded in the package's setup.py or binary wheel.
Malware Family: ZiChatBot (New).
C2 Mechanism: The malware leverages the Zulip API (often *.zulipchat.com) to receive commands and exfiltrate data. This technique is particularly insidious as Zulip is a legitimate open-source chat server used by many organizations for internal communication, potentially whitelisted in proxy configurations.
Attack Chain:
1. User/CI-CD pipeline executes pip install [malicious_package].
2. Malicious package executes a post-installation script.
3. Payload drops and establishes persistence (mechanism varies by OS).
4. Agent initiates outbound connection to Zulip API endpoints for C2.
Exploitation Status: Confirmed active exploitation. The packages are live on the repository (or were recently) and are actively being served to victims.

Detection & Response

The following detection rules and queries are designed to identify the installation of these packages and the subsequent C2 traffic to Zulip APIs.

Sigma Rules

YAML

---
title: ZiChatBot PyPI Attack - Python Process Connecting to Zulip C2
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects python or pip processes establishing network connections to Zulip domains, a potential indicator of ZiChatBot malware C2 activity.
references:
  - https://thehackernews.com/2026/05/pypi-packages-deliver-zichatbot-malware.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
      - '\pip.exe'
    DestinationHostname|contains:
      - 'zulipchat.com'
  condition: selection
falsepositives:
  - Legitimate use of Zulip client libraries by developers (rare in automated contexts)
level: high
---
title: ZiChatBot PyPI Attack - Suspicious Python Child Process Execution
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects python.exe spawning cmd, bash, or powershell immediately following a package installation, indicative of post-exploitation scripts in PyPI supply chain attacks.
references:
  - https://thehackernews.com/2026/05/pypi-packages-deliver-zichatbot-malware.html
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\python.exe'
      - '\pip.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate developer scripts invoking shells
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Python processes connecting to Zulip domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "zulipchat.com"
| where InitiatingProcessFileName in~ ("python.exe", "python3.exe", "pip.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemotePort
| extend AlertContext = "Potential ZiChatBot C2 traffic"

// Hunt for suspicious child processes spawned by Python on Linux (via Syslog/CEF)
Syslog
| where TimeGenerated > ago(7d)
| where ProcessName contains "python"
| where SyslogMessage contains "EXECVE" 
| where SyslogMessage has_any ("cmd", "bash", "sh", "powershell") 
| extend ParsedMessage = parse_syslog(SyslogMessage)
| project TimeGenerated, HostName, ProcessName, SyslogMessage

Velociraptor VQL

VQL — Velociraptor

-- Hunt for active network connections to Zulip domains
SELECT Sys.Pid, Sys.Name, Sys.Proto, Sys.RemoteAddress, Sys.RemotePort, Sys.State
FROM listen_dns(addr=Sys.RemoteAddress)
      LEFT JOIN Sys ON Sys.Pid = listen_dns.Pid
WHERE Sys.RemoteAddress =~ 'zulipchat.com' 
   OR Sys.Name =~ 'python'

-- Hunt for recently modified Python packages in site-packages (Linux/Windows)
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/*/lib/python*/site-packages/*")
WHERE Mtime > now() - 7d
  AND (Mode =~ 'x' OR Name =~ '.whl')

Remediation Script (Bash)

This script audits the environment for active connections to Zulip from Python processes and checks for recent suspicious package installations.

Bash / Shell

#!/bin/bash

# Hunt for ZiChatBot Indicators
# Author: Security Arsenal

echo "[*] Hunting for active ZiChatBot C2 connections (Python -> Zulip)..."

# Check active connections to Zulip domains
connections=$(ss -tulpen | grep ':443' | grep -i zulip)
if [ ! -z "$connections" ]; then
    echo "[!] ALERT: Found connections to Zulip infrastructure:"
    echo "$connections"
else
    echo "[-] No active connections to Zulip found on port 443."
fi

echo ""
echo "[*] Checking for recently installed/modified Python packages in site-packages..."

# Find site-packages modified in the last 7 days
find /usr/local/lib/python*/dist-packages /root/.local/lib/python*/site-packages -name "*.py" -mtime -7 -type f 2>/dev/null | head -n 20

# Check pip logs for recent installs if they exist
if [ -d "~/.pip" ] || [ -d "/var/log/pip" ]; then
    echo "[*] Checking recent pip logs..."
    grep -r "Successfully installed" ~/.pip /var/log/pip 2>/dev/null | tail -n 5
fi

echo ""
echo "[*] Remediation Action:"
echo "1. If suspicious connections are found, kill the Python PID immediately."
echo "2. Audit recently installed packages: 'pip list --user' or 'pip list'"
echo "3. Remove unknown packages: 'pip uninstall <package_name>'"
echo "4. Block *.zulipchat.com at the egress firewall if Zulip is not an approved corporate tool."

Remediation

Immediate Blocking: If your organization does not officially use Zulip, block *.zulipchat.com at the perimeter firewall and proxy immediately. If Zulip is used, identify the specific subdomains sanctioned by IT and block unknown/rogue subdomains.
Package Audit: Run pip list on all development and production servers. Cross-reference with the list of known malicious packages (specific names usually published by Kaspersky/PyPI admins). If exact names are not yet released, look for packages with zero downloads, typo-squatted names of popular libraries, or packages installed immediately before the detection alert.
Removal: Uninstall the malicious packages immediately: pip uninstall <malicious_package_name>
Environment Sanitization: Consider rotating API keys and credentials stored on the compromised host, as ZiChatBot likely has data exfiltration capabilities.
Supply Chain Hardening: Implement pip-audit in CI/CD pipelines to automatically scan dependencies for known vulnerabilities and malicious packages before runtime.
Official Advisory: Monitor the PyPI Security Advisory and the Kaspersky advisory for the specific package hashes and names to add to your blocklists.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub