OceanLotus suspected of using PyPI to deliver ZiChatBot malware

**Executive summary:** A July 2025 PyPI supply‑chain campaign uploaded malicious wheel packages (uuid32-utils, colorinal, termncolor) that extract a dropper (terminate.dll / terminate.so) to install a cross‑platform backdoor named ZiChatBot; the dropper establishes persistence, deploys the payload (vcpktsvr.exe/libcef.dll on Windows or an ELF on Linux), and ZiChatBot uses Zulip public REST APIs as C2; packages were removed from PyPI and the Zulip "helper" organization deactivated, and Kaspersky notes a 64% similarity of the dropper to samples linked to OceanLotus.