Cybersecurity researchers at Kaspersky have identified three malicious packages hosted on the Python Package Index (PyPI) that disguise themselves as legitimate libraries while covertly delivering a previously unknown malware family called ZiChatBot to Windows and Linux systems. The packages implement their advertised features to avoid detection, but their primary purpose is to deliver malicious payloads.

Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens.