PYSEC-2026-207

Vulnerability from pysec - Published: - Updated: 2026-06-09 19:34
VLAI
Details

durabletask versions 1.4.1, 1.4.2, and 1.4.3 were published on 2026-05-19 within a 35-minute window through a compromised PyPI maintainer account and contained malicious code.

On import, the package fetched a remote payload (rope.pyz) from an attacker-controlled host and executed it. The payload was a credential-theft framework that interrogated cloud instance metadata (AWS/Azure/GCP) and secret stores, harvested Kubernetes service-account tokens, HashiCorp Vault tokens, and credentials from known filesystem paths, attempted to brute-force password manager vaults. Anything obtained was exfiltrated to command-and-control infrastructure with a GitHub dead-drop fallback. It established persistence via a systemd unit (pgsql-monitor.service) and included a geo-targeted destructive wiper.

Indicators of compromise: - Dropped payload: rope.pyz (sha256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce) - Primary C2: check.git-service[.]com (160.119.64.3) - Secondary C2: t.m-kosche[.]com (185.95.159.32) - Persistence unit: pgsql-monitor.service

The affected releases have been removed from PyPI. The known-good versions remain available. durabletask version 1.5.0 has been released by the maintainers.

This campaign is likely attributable to the threat actor tracked as TeamPCP, based on shared infrastructure and payload overlap with prior supply chain compromises (including the @antv and guardrails-ai waves).

Impacted products
Name purl
durabletask pkg:pypi/durabletask
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "durabletask",
        "purl": "pkg:pypi/durabletask"
      },
      "versions": [
        "1.4.1",
        "1.4.2",
        "1.4.3"
      ]
    }
  ],
  "aliases": [
    "MAL-2026-4174"
  ],
  "credits": [
    {
      "contact": [
        "https://vipyrsec.com/"
      ],
      "name": "Vipyr Security",
      "type": "REPORTER"
    },
    {
      "name": "Mike Fiedler",
      "type": "COORDINATOR"
    }
  ],
  "details": "`durabletask` versions 1.4.1, 1.4.2, and 1.4.3 were published on 2026-05-19 within a\n35-minute window through a compromised PyPI maintainer account and contained\nmalicious code.\n\nOn import, the package fetched a remote payload (`rope.pyz`) from an\nattacker-controlled host and executed it.\nThe payload was a credential-theft framework that interrogated cloud instance metadata\n(AWS/Azure/GCP) and secret stores, harvested Kubernetes service-account tokens,\nHashiCorp Vault tokens, and credentials from known filesystem paths,\nattempted to brute-force password manager vaults.\nAnything obtained was exfiltrated to command-and-control infrastructure\nwith a GitHub dead-drop fallback.\nIt established persistence via a systemd unit (`pgsql-monitor.service`)\nand included a geo-targeted destructive wiper.\n\nIndicators of compromise:\n- Dropped payload: rope.pyz\n  (sha256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce)\n- Primary C2: check.git-service[.]com (160.119.64.3)\n- Secondary C2: t.m-kosche[.]com (185.95.159.32)\n- Persistence unit: pgsql-monitor.service\n\nThe affected releases have been removed from PyPI.\nThe known-good versions remain available.\n`durabletask` version 1.5.0 has been released by the maintainers.\n\nThis campaign is likely attributable to the threat actor tracked as\nTeamPCP, based on shared infrastructure and payload overlap with prior\nsupply chain compromises (including the @antv and guardrails-ai waves).\n",
  "id": "PYSEC-2026-207",
  "modified": "2026-06-09T19:34:23Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/microsoft/durabletask-python/issues/137"
    },
    {
      "type": "ARTICLE",
      "url": "https://safedep.io/malicious-durabletask-pypi-supply-chain-attack"
    },
    {
      "type": "ARTICLE",
      "url": "https://bad-packages.kam193.eu/pypi/campaign/2026-05-compr-durabletask"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.upwind.io/feed/newly-discovered-durabletask-malware-targeted-kubernetes-cloud-secrets-and-ci-cd-infrastructure"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.aikido.dev/blog/durabletask-package-compromised-mini-shai-hulud"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/durabletask/"
    }
  ],
  "summary": "durabletask 1.4.1, 1.4.2, and 1.4.3 contain malicious code distributed via a compromised maintainer account"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.