Supply chain attacks with a Dune sci-fi saga branding continue to spread across the open-source ecosystem, with a Microsoft package being among the latest target of worm-like malware that steals credentials and brings destructive capabilities, security researchers say.
Security vendor Aikido said it had found three malicious versions of Microsoft’s Python package for the Durable Task Framework, which is a workflow orchestration library for Microsoft Azure.
The durabletask package versions 1.4.1, 1.4.2 and 1.4.3 on the Python PyPI package repository contain a Linux-only payload that silently fetches further malicious code, including a disk wiper.
This triggers when the malware’s primary command and control (C2) host is reachable, activating a roulette.py script that can install persistence on the victim’s machine, or wipe disks with the rm -rf /* file and directory removal command, Aikido said in its analysis.
Aikido said the wiper module checks for Israeli or Iranian system settings by looking for language, time zone and local time information.
If that data matches, the malware performs Russian Roulette-style revolver chamber spin, and in a one-in-six roll executes the disk wiping and before that, plays a RunForCover.mp3 audio it has downloaded, while setting the system volume to 100 percent.
The Mini Shai-Hulud worm tries to steal a large amount of credentials from password managers, targeting 1Password, Bitwarden and others.
In addition, it reads over 90 hardcoded paths to credentials files for services such as Amazon Web Services, and also goes after artificial intelligence (AI) tools configurations.
If that wasn’t enough, the worm targets Docker, AWS, Microsoft Azure, Google Cloud Platform, Kubernetes and HashiCorp Vaults, Aikido noted.
The worm spreads through two paths via AWS and Kubernetes, attempting to propagate to further non-Windows environments.
A novel resilience technique is employed by the worm: this uses a GitHub based dead-drop that is found by searching the commit application programming interface (API) for a string, FIRESCALE.
Matching and signed commits are then inspected for Base64 encoded links that the attacker has published, providing a new uniform resource locator path.
“The GitHub search API becomes a censorship-resistant, cryptographically authenticated fallback channel. If the primary C2 domain gets seized or sinkholed, the attacker can resume operations by making a single public commit anywhere on GitHub,” Aikido wrote.
Aikido said the attack “smells of more TeamPCP shenanigans”, but stopped short of attributing the very active code supply chain hacking group who use Dune-themed terminology whenever possible.
However, the worm contains a Russian-locale kill switch, folklore names from that nation and payload architecture and campaign infrastructure similar to earlier TeamPCP attacks.
Prior to the attack on durabletask, Mini Shai-Hulud was used to compromise the TanStack web application stack packages last week, and it also featured a disk wiper for users’ home directories.
In that attack, security researcher warned users to be careful when revoking compromised tokens as a dead-man’s switch was installed by the payload.
The switch polls the token every 60 seconds, and if it finds it has been revoked, runs rm -rf ~/ to delete the user’s home directory.
Users with infected systems must disable the dead-man’s switch first, before revoking tokens, or they could inadvertently trigger data loss on their systems.
