Security experts have sounded the alarm after finding a sneaky new trap hidden inside the Python Package Index (PyPI), the world’s most popular library for Python developers. A group of hackers successfully planted three malicious packages designed to infect both Windows and Linux computers with a new type of spyware called ZiChatBot. This discovery is particularly chilling because the malware doesn’t use a typical hacker website to send orders; instead, it hides its activity inside the legitimate team chat app, Zulip.

This “supply chain attack” was a calculated move to catch developers off guard. By putting the poison inside tools that programmers use every day, the hackers can slip past traditional security walls. While the packages have been removed, they were downloaded over 2,000 times before anyone noticed they were dangerous.

A Wolf in Sheep’s Clothing

The three packages involved—named uuid32-utils, colorinal, and termncolor—looked completely normal on the surface. They even performed the helpful tasks they promised to do, like managing unique ID codes or adding colors to text in a terminal. This is a classic trick used by modern hackers: provide a useful service so the victim has no reason to suspect anything is wrong.

One of the packages, termncolor, didn’t even contain the virus itself. Instead, it was programmed to automatically download one of the other “dirty” packages. This layering makes it much harder for security scanners to find the source of the problem. If a developer installed any of these tools between July 16 and 22, 2025, their system likely became a puppet for the hackers.

How the Infection Spreads and Stays

The way ZiChatBot takes over a computer depends on whether the victim is using Windows or Linux, but the end goal is the same. On Windows, the malware drops a hidden file that buries itself into the computer’s “Registry.” This ensures that every time the user turns on their computer, the malware starts running automatically. Once it’s settled in, it deletes its original installer to leave no evidence behind.

On Linux, the process is slightly different but equally effective. It hides itself in a temporary folder and sets up a scheduled task—called a “crontab”—to keep itself running. Once the malware is active, it reaches out to the Zulip chat API. The hackers send commands through the chat app, telling the infected computer to run specific code or steal information. In a bizarre twist, once the malware successfully completes a task, it sends a heart emoji back to the hackers as a “mission accomplished” signal.

The Mystery Hackers Behind the Attack

While no one has officially claimed responsibility, researchers have noticed a striking pattern. The code used to drop the malware is very similar to tools used by a well-known hacking group from Vietnam called OceanLotus, also known as APT32. This group has a long history of clever attacks, including a recent campaign where they hid viruses inside fake Visual Studio Code projects to target Chinese security experts.

In those previous attacks, they used the note-taking app Notion to hide their communications. Switching to Zulip for this new campaign shows that these hackers are getting even more creative. By using well-known, trusted business apps as their command centers, they make their malicious traffic look like a normal day at the office. This shift signals a dangerous trend: hackers are no longer just sending suspicious emails; they are poisoning the very building blocks that developers use to create the software we all rely on. For anyone working in tech, this is a grim reminder that even the most helpful-looking code can have a hidden, heart-shaped sting.