PyPI ZiChatBot Malware Spreads via Zulip APIs Targeting Windows & Linux
Researchers at SentinelLabs have uncovered a new supply‑chain threat targeting developers who rely on the Python Package Index (PyPI). The campaign, tracked as ‘ZulipSnatch’, consists of three malicious packages—zulip‑bot, zulip‑messenger, and zulip‑integration—each masquerading as legitimate Zulip API wrappers. The packages were uploaded between March 3 and March 7, 2024, and collectively amassed several thousand downloads before their removal.
Once installed, the packages execute a Python script that initializes a hidden ZiChatBot payload. ZiChatBot first resolves the host’s operating system (Windows or Linux) and then crafts a Zulip API request to a covert Zulip organization (https://zulip‑chat[.]xyz). The malware encodes system information—hostname, user name, OS version, and a list of running processes—in JSON and transmits it as a Zulip private message. In response, it receives a Base64‑encoded second‑stage payload, which is decoded and injected into memory. The second stage includes a reverse shell that connects to an external C2 server over TCP port 443, as well as modules for credential harvesting from browsers and SSH keys.
The infection chain is designed to evade sandbox analysis by checking for the presence of common VM artifacts (e.g., ‘vboxguest’, ‘vmware’) and by delaying execution until at least 10 minutes after installation. Both Windows and Linux hosts are targeted; on Windows, the payload leverages PowerShell for persistence via a scheduled task, while on Linux it drops a cron job that calls a Bash script stored in /tmp/. The malware’s reliance on the Zulip protocol allows it to blend with normal traffic, making detection by traditional network monitoring challenging.
Upon notification, PyPI’s security team promptly removed the three packages and invalidated the associated accounts. Security practitioners are advised to audit their dependency trees, enable pip’s --require‑hashes mode, and employ tools such as pip‑audit or Snyk to flag known vulnerable packages. The discovery underscores the ongoing risk of trusted package repositories and highlights the need for continuous monitoring of supply‑chain integrity.