THREE PyPI wheel packages—uuid32-utils (1,479 downloads), colorinal (614 downloads) and termncolor (387 downloads)—were uploaded in a narrow window between 16 July and 22 July 2025, and are used to stealthily deliver a malware family called ZiChatBot on Windows and Linux. On Windows, installing the first two packages drops a DLL named terminate[.]dll, which is loaded to act as a dropper and creates an auto-run entry in the registry before deleting itself.
On Linux, terminate[.]so plants the malware in /tmp/obsHub/obs-check-update and configures a crontab entry, with ZiChatBot designed to execute shellcode from a remote C2 via REST APIs from Zulip. Regardless of OS, the malware signals success by sending a heart emoji after executing commands. Kaspersky described the activity as a careful PyPI supply chain attack and noted the dropper shows 64% similarity to one used by OceanLotus, a Vietnam-aligned group; the article also cites OceanLotus as a potential suspect.