The ongoing TeamPCP software supply chain campaign has compromised the official Microsoft DurableTask Python client, a widely used package for orchestrating workflows in Python applications.
Three versions of the durabletask package on PyPI, 1.4.1, 1.4.2, and 1.4.3, were identified as malicious and subsequently quarantined by PyPI after analysis by Wiz researchers. This incident highlights how attackers are increasingly abusing developer ecosystems to reach cloud environments at scale.
The attack is linked to a previously reported wave against the @antv ecosystem, tying it to the same TeamPCP campaign. Investigators found that a compromised GitHub user account, already involved in the earlier attacks, also had access to the microsoft/durabletask-python repository.
The attacker cloned recent commit messages and used the victim’s GitHub access to extract repository secrets, including a PyPI token stored in GitHub Actions secrets. With that token, they were able to publish trojanized durabletask versions directly to PyPI without breaking into PyPI itself.
Microsoft DurableTask Python Client Targeted
The payload is an evolution of malware previously deployed against the guardrails-ai package, with added features for cloud credential theft and lateral movement. In the compromised durable task packages, the malicious code is delivered via a rope.pyz payload and injected into files such as __init__.py, task.py, and multiple package submodules.
Once executed on Linux systems, the malware targets credentials from AWS, Azure, GCP, Kubernetes, Vault, local files, and stored passwords, then attempts to propagate further using available access, as reported by Wiz.
The worm-like component uses AWS Systems Manager (SSM) and Kubernetes to spread to up to five additional targets per infected host. It also attempts brute-force unlocking of Bitwarden, 1Password, and GPG using passwords collected from environment variables and shell history, and it scrapes history files such as .bash_history and .zsh_history for sensitive data.
Command-and-control (C2) traffic is directed to domains such as check.git-service.com with backup infrastructure at t.m-kosche.com, and an infection marker file at ~/.cache/.sys-update-check is used to track compromised systems.
Security teams are advised to immediately scan dependency files and CI logs for use of durabletask versions 1.4.1, 1.4.2, or 1.4.3. On Linux systems, defenders should search for artifacts such as /tmp/managed.pyz, /tmp/rope-*.pyz, the infection marker under ~/.cache/.sys-update-check, and suspicious python3 /tmp/managed.pyz processes.
If exposure is suspected, all cloud and application credentials should be rotated, including AWS IAM, Azure, GCP service accounts, Kubernetes and Vault tokens, and passwords stored in Bitwarden, 1Password, and similar tools, assuming shell history may be exfiltrated.
Additional steps include auditing AWS CloudTrail for unusual SSM activity, reviewing Kubernetes audit logs for unexpected kubectl exec operations, checking password manager CLI usage, and blocking the C2 domains and specific exfiltration paths at the network layer.
Long-term, experts recommend tightening GitHub Actions security and adopting stronger package security practices to reduce the blast radius of future supply chain attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
