By rssfeeds-admin Three malicious versions, durabletask v1.4.1, v1.4.2, and v1.4.3, were published to PyPI on May 19, 2026, within a 35-minute window and have since been quarantined following independent analysis.
The package receives over 400,000 downloads per month, making this one of the most impactful supply chain incidents of 2026.
Wiz researchers directly linked the attack to the previously documented @antv supply chain wave, tracing a compromised GitHub account that published repositories implicated in that campaign.
Microsoft DurableTask Python Client Compromised
The same account was observed targeting microsoft/durabletask-python in an 8-minute window between 15:08 and 15:16 UTC.
The attacker’s method was straightforward but devastating: they leveraged compromised credentials to dump GitHub secrets from a repository the account had access to, harvesting a PyPI API token stored in GitHub Actions secrets.
Using this token, the attacker built and uploaded the malicious packages directly via twine, completely bypassing Microsoft’s CI/CD pipeline, no matching GitHub tags or workflow runs exist for any of the three versions.
The C2 domain check.git-service.com was registered just three days before the attack (May 16, 2026) through NameSilo with privacy protection enabled.
The dropper just 14 lines of Python code __init__.py silently downloads rope.pyz from the C2 and spawns four parallel detached processes.
The payload is a 28 KB Python zipapp containing 17 source files and represents a direct evolution of the guardrails-ai payload deployed on May 11th.
Injection points were progressively escalated across versions to maximize execution coverage.
Spread across multiple entry points __init__.py,task.py, entities/__init__.py, extensions/__init__.py, and payload/__init__.py ensuring the payload executes regardless of which module a developer imports first.
Once triggered, the malware performs a sweeping credential theft operation, targeting:
- AWS IAM credentials, EC2 IMDSv2, Secrets Manager, and SSM Parameter Store across 19 regions.
- Azure service principals, managed identity, and Key Vault secrets across all subscriptions.
- GCP service account keys and Secret Manager secrets.
- Kubernetes service accounts across all namespaces via
kubeconfig. - HashiCorp Vault tokens across all KV mounts.
- Bitwarden, 1Password, and GPG brute-forced using harvested passwords.
- Shell history files (
.bash_history,.zsh_history) and 99 hardcoded filesystem paths for additional secrets.
The worm propagates laterally to up to 5 targets per infected host via AWS SSM SendCommand and Kubernetes kubectl exec, dropping infection markers at ~/.cache/.sys-update-check to avoid double-infection.
The secondary C2 domain t.m-kosche.com is established TeamPCP infrastructure, directly tying this attack to the Mini Shai-Hulud campaign, as stated in Wiz report.
TeamPCP’s 2026 supply chain campaign has now claimed TanStack (42 npm packages), Mistral AI, Guardrails AI, LiteLLM, @antv (639 compromised versions across 323 packages), Checkmarx VS Code extensions, Aqua Security’s Trivy, and now Microsoft’s durabletask.
| Category | Indicator |
|---|---|
| Malicious Packages | durabletask==1.4.1, 1.4.2, 1.4.3 |
| Safe Version | durabletask==1.4.0 |
| Payload SHA-256 | 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce |
| sdist SHA-256 (1.4.1) | 3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf |
| sdist SHA-256 (1.4.2) | 85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f |
| sdist SHA-256 (1.4.3) | c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc |
| Primary C2 | check.git-service[.]com |
| Backup C2 | t.m-kosche[.]com |
| C2 IP | 160.119.64.3 (AS7489, HostUS) |
| Exfil Endpoints | /api/public/version, /v1/models, /audio.mp3 |
| Infection Marker | ~/.cache/.sys-update-check |
| K8s Marker | ~/.cache/.sys-update-check-k8s |
| Persistence Service | pgsql-monitor.service |
| Dead-drop Beacon | FIRESCALE (GitHub commit search) |
| Exfil Repo Names | BABA-YAGA, KOSCHEI, FIREBIRD, RUSALKA, LESHY, MOROZKO |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigation:
- Identify exposure — Scan
requirements.txt,poetry.lock, and CI logs for durabletask 1.4.1–1.4.3; check for/tmp/rope-*.pyzon Linux systems - Check persistence — Look for
~/.cache/.sys-update-check, thepgsql-monitor.servicesystemd unit, and runningpython3 /tmp/managed.pyzprocesses - Rotate all credentials — AWS IAM, Azure service principals, GCP service accounts, Kubernetes tokens, Vault tokens, GitHub PATs, SSH keys, and Bitwarden/1Password vaults; assume shell history was exfiltrated
- Audit cloud activity — Review CloudTrail for
SSM:SendCommandcalls and Kubernetes audit logs for unauthorizedkubectl execsessions - Block C2 infrastructure — Deny DNS resolution for
check.git-service[.]comandt.m-kosche[.]com; block/v1/models,/audio.mp3, and/api/public/versionoutbound endpoints
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Microsoft DurableTask Python Client Compromised by TeamPCP appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.