#pypi
5 articles
This archive collects 7 articles tagged pypi published between April 27, 2026 and May 14, 2026, giving security teams a focused view of how this topic has appeared across ZCyberNews coverage. Observed actor references include TeamPCP, OceanLotus, and ZiChatBot, presented only where the underlying article metadata supports the attribution. The affected-scope signals emphasize technology, software development, and research across Global, helping readers compare exposure patterns without adding claims beyond the archive data. Severity coverage includes 4 critical, and 3 high reports.
HIGHOpenAI Breached in TanStack Supply Chain Attack
OpenAI says two employees' devices were compromised in the TeamPCP Mini Shai-Hulud campaign, forcing rotation of code-signing certificates across macOS, Windows, iOS, and Android.
CRITICALTeamPCP Hijacks TanStack CI/CD, Poisons 170+ NPM/PyPI Packages
TeamPCP chained three GitHub Actions flaws to hijack TanStack's CI/CD, publishing 84 malicious artifacts across 42 packages.
HIGHOceanLotus APT Uses PyPI Packages to Deliver ZiChatBot Malware
Kaspersky attributes a PyPI supply chain campaign to OceanLotus APT, using fake wheel packages to drop ZiChatBot malware that abuses Zulip chat APIs for C2 on Windows and Linux.
HIGHZiChatBot Malware Spreads via PyPI Packages Using Zulip C2
Three PyPI packages deliver ZiChatBot malware on Windows and Linux using Zulip chat APIs for stealthy C2 — Kaspersky identifies 12+ victim organizations globally.
CRITICALPyTorch Lightning Compromised in PyPI Supply Chain Attack
Threat actors pushed malicious PyTorch Lightning versions 2.6.2 and 2.6.3 to PyPI on April 30, 2026, stealing credentials via a typosquatted dependency — Aikido Security, Socket,…
Stay Updated
Get the latest cybersecurity news delivered to your inbox.