Attackers compromised the popular Python Lightning package and published two trojanized versions capable of stealing credentials, with four cybersecurity firms confirming the supply chain intrusion affected versions 2.6.2 and 2.6.3 released on April 30, 2026.

Cybersecurity researchers at Kaspersky have identified three malicious packages hosted on the Python Package Index (PyPI) that disguise themselves as legitimate libraries while covertly delivering a previously unknown malware family called ZiChatBot to Windows and Linux systems. The packages implement their advertised features to avoid detection, but their primary purpose is to deliver malicious payloads.