Microsoft DurableTask Python Client Compromised by TeamPCP

The threat actor group TeamPCP, which operates the prolific Mini Shai-Hulud supply chain campaign, has successfully compromised Microsoft’s official Python client for the Durable Task workflow execution framework.

Three malicious versions, durabletask v1.4.1, v1.4.2, and v1.4.3, were published to PyPI on May 19, 2026, within a 35-minute window and have since been quarantined following independent analysis.

The package receives over 400,000 downloads per month, making this one of the most impactful supply chain incidents of 2026.

Wiz researchers directly linked the attack to the previously documented @antv supply chain wave, tracing a compromised GitHub account that published repositories implicated in that campaign.

Microsoft DurableTask Python Client Compromised

The same account was observed targeting microsoft/durabletask-python in an 8-minute window between 15:08 and 15:16 UTC.

The attacker’s method was straightforward but devastating: they leveraged compromised credentials to dump GitHub secrets from a repository the account had access to, harvesting a PyPI API token stored in GitHub Actions secrets.

Using this token, the attacker built and uploaded the malicious packages directly via twine, completely bypassing Microsoft’s CI/CD pipeline, no matching GitHub tags or workflow runs exist for any of the three versions.

The C2 domain check.git-service.com was registered just three days before the attack (May 16, 2026) through NameSilo with privacy protection enabled.

The dropper just 14 lines of Python code  __init__.py silently downloads rope.pyz from the C2 and spawns four parallel detached processes.

The payload is a 28 KB Python zipapp containing 17 source files and represents a direct evolution of the guardrails-ai payload deployed on May 11th.

Injection points were progressively escalated across versions to maximize execution coverage.

Spread across multiple entry points  __init__.py,task.py, entities/__init__.py, extensions/__init__.py, and payload/__init__.py ensuring the payload executes regardless of which module a developer imports first.

Once triggered, the malware performs a sweeping credential theft operation, targeting:

• AWS IAM credentials, EC2 IMDSv2, Secrets Manager, and SSM Parameter Store across 19 regions.
• Azure service principals, managed identity, and Key Vault secrets across all subscriptions.
• GCP service account keys and Secret Manager secrets.
• Kubernetes service accounts across all namespaces via kubeconfig.
• HashiCorp Vault tokens across all KV mounts.
• Bitwarden, 1Password, and GPG brute-forced using harvested passwords.
• Shell history files (.bash_history, .zsh_history) and 99 hardcoded filesystem paths for additional secrets.

The worm propagates laterally to up to 5 targets per infected host via AWS SSM SendCommand and Kubernetes kubectl exec, dropping infection markers at ~/.cache/.sys-update-check to avoid double-infection.

The secondary C2 domain t.m-kosche.com is established TeamPCP infrastructure, directly tying this attack to the Mini Shai-Hulud campaign, as stated in Wiz report.

TeamPCP’s 2026 supply chain campaign has now claimed TanStack (42 npm packages), Mistral AI, Guardrails AI, LiteLLM, @antv (639 compromised versions across 323 packages), Checkmarx VS Code extensions, Aqua Security’s Trivy, and now Microsoft’s durabletask.

Category	Indicator
Malicious Packages	durabletask==1.4.1, 1.4.2, 1.4.3
Safe Version	durabletask==1.4.0
Payload SHA-256	069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce
sdist SHA-256 (1.4.1)	3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf
sdist SHA-256 (1.4.2)	85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f
sdist SHA-256 (1.4.3)	c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc
Primary C2	check.git-service[.]com
Backup C2	t.m-kosche[.]com
C2 IP	160.119.64.3 (AS7489, HostUS)
Exfil Endpoints	/api/public/version, /v1/models, /audio.mp3
Infection Marker	~/.cache/.sys-update-check
K8s Marker	~/.cache/.sys-update-check-k8s
Persistence Service	pgsql-monitor.service
Dead-drop Beacon	FIRESCALE (GitHub commit search)
Exfil Repo Names	BABA-YAGA, KOSCHEI, FIREBIRD, RUSALKA, LESHY, MOROZKO

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Mitigation:

1. Identify exposure — Scan requirements.txt, poetry.lock, and CI logs for durabletask 1.4.1–1.4.3; check for /tmp/rope-*.pyz on Linux systems
2. Check persistence — Look for ~/.cache/.sys-update-check, the pgsql-monitor.service systemd unit, and running python3 /tmp/managed.pyz processes
3. Rotate all credentials — AWS IAM, Azure service principals, GCP service accounts, Kubernetes tokens, Vault tokens, GitHub PATs, SSH keys, and Bitwarden/1Password vaults; assume shell history was exfiltrated
4. Audit cloud activity — Review CloudTrail for SSM:SendCommand calls and Kubernetes audit logs for unauthorized kubectl exec sessions
5. Block C2 infrastructure — Deny DNS resolution for check.git-service[.]com and t.m-kosche[.]com; block /v1/models, /audio.mp3, and /api/public/version outbound endpoints

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Microsoft DurableTask Python Client Compromised by TeamPCP appeared first on Cyber Security News.