{"id":"PYSEC-2026-207","summary":"durabletask 1.4.1, 1.4.2, and 1.4.3 contain malicious code distributed via a compromised maintainer account","details":"`durabletask` versions 1.4.1, 1.4.2, and 1.4.3 were published on 2026-05-19 within a\n35-minute window through a compromised PyPI maintainer account and contained\nmalicious code.\n\nOn import, the package fetched a remote payload (`rope.pyz`) from an\nattacker-controlled host and executed it.\nThe payload was a credential-theft framework that interrogated cloud instance metadata\n(AWS/Azure/GCP) and secret stores, harvested Kubernetes service-account tokens,\nHashiCorp Vault tokens, and credentials from known filesystem paths,\nattempted to brute-force password manager vaults.\nAnything obtained was exfiltrated to command-and-control infrastructure\nwith a GitHub dead-drop fallback.\nIt established persistence via a systemd unit (`pgsql-monitor.service`)\nand included a geo-targeted destructive wiper.\n\nIndicators of compromise:\n- Dropped payload: rope.pyz\n  (sha256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce)\n- Primary C2: check.git-service[.]com (160.119.64.3)\n- Secondary C2: t.m-kosche[.]com (185.95.159.32)\n- Persistence unit: pgsql-monitor.service\n\nThe affected releases have been removed from PyPI.\nThe known-good versions remain available.\n`durabletask` version 1.5.0 has been released by the maintainers.\n\nThis campaign is likely attributable to the threat actor tracked as\nTeamPCP, based on shared infrastructure and payload overlap with prior\nsupply chain compromises (including the @antv and guardrails-ai waves).\n","aliases":["MAL-2026-4174"],"modified":"2026-06-10T08:30:05.379336518Z","published":"2026-06-09T19:34:23Z","references":[{"type":"REPORT","url":"https://github.com/microsoft/durabletask-python/issues/137"},{"type":"ARTICLE","url":"https://safedep.io/malicious-durabletask-pypi-supply-chain-attack"},{"type":"ARTICLE","url":"https://bad-packages.kam193.eu/pypi/campaign/2026-05-compr-durabletask"},{"type":"ARTICLE","url":"https://www.upwind.io/feed/newly-discovered-durabletask-malware-targeted-kubernetes-cloud-secrets-and-ci-cd-infrastructure"},{"type":"ARTICLE","url":"https://www.aikido.dev/blog/durabletask-package-compromised-mini-shai-hulud"},{"type":"ARTICLE","url":"https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack"},{"type":"PACKAGE","url":"https://pypi.org/project/durabletask/"}],"affected":[{"package":{"name":"durabletask","ecosystem":"PyPI","purl":"pkg:pypi/durabletask"},"versions":["1.4.1","1.4.2","1.4.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/durabletask/PYSEC-2026-207.yaml"}}],"schema_version":"1.7.5","credits":[{"name":"Vipyr Security","contact":["https://vipyrsec.com/"],"type":"REPORTER"},{"name":"Mike Fiedler","type":"COORDINATOR"}]}