Follow Cyber Kendra on Google News! | WhatsApp | Telegram

Add as a preferred source on Google
Home
Microsoft
Security

Microsoft's durabletask Hit by TeamPCP — Your Cloud Keys Were the Target

Three versions of the official Microsoft Python workflow client were infected with a worm capable of draining AWS, Kubernetes, and password manager.
Add as preferred source

durabletask python package hacked

TeamPCP has quietly poisoned yet another trusted developer package — and this time the target was sitting inside Microsoft's own toolchain. Three consecutive releases of durabletask (v1.4.1, v1.4.2, and v1.4.3), the official Python client for Microsoft's Durable Task workflow framework, were compromised and loaded with credential-stealing malware — a direct follow-on to the group's hit on guardrails-ai just days earlier.

The Same Worm, A Sharper Payload

Security researchers at Wiz disclosed the compromise, noting that the malicious payload — dubbed rope.pyz — is an evolved version of transformers.pyz, the dropper previously deployed in the guardrails-ai attack on May 11. 

The core mission hasn't changed: steal everything and move on. But the durabletask variant is notably more aggressive in where it injects, spreading its hooks across task.py, entities/__init__.py, extensions/__init__.py, and payload/__init__.py — giving it more entry paths than the earlier version. The C2 (command-and-control) server has also shifted from a raw IP address to check.gitservice.com, with a fallback to t.m-kosche.com, and SSL verification is now enabled — a sign the operation is maturing.

What Gets Stolen — And How It Spreads

The worm's credential sweep is comprehensive by design. Once executed on a Linux host, it goes after AWS IAM keys, Azure and GCP service account tokens, Kubernetes service account credentials, HashiCorp Vault tokens, filesystem passwords, and the contents of your shell history files (.bash_history, .zsh_history). If you store credentials in Bitwarden, 1Password, or pass/gopass, the payload attempts to brute-force unlock them using passwords it harvests along the way.

What makes this variant especially dangerous is its lateral movement. After infection, the worm actively scans for AWS SSM-reachable instances (Amazon's remote management service) and Kubernetes clusters, then propagates itself to up to five additional targets per compromised host. In a shared CI/CD environment or a cloud cluster, that ceiling can still translate to dozens of machines from a single install event.

"These packages are likely to be installed in local developer environments, CI jobs, release workflows, and internal build systems — where git tokens, cloud credentials, Kubernetes service account tokens, and deployment secrets live." — Wiz Threat Intelligence

⚡ Immediate Action Required— If your environment installed durabletask v1.4.1, v1.4.2, or v1.4.3, treat the host as fully compromised. Rotate all cloud credentials immediately and check for the infection marker at ~/.cache/.sysupdate-check. 

Part of a Relentless 2026 Campaign

The durabletask compromise doesn't exist in isolation. TeamPCP — also tracked as PCPcat, ShellForce, and DeadCatx3 — has been running supply chain operations since at least September 2025, gaining notoriety following the React2Shell campaign that exploited cloud environments. 

Through early 2026, the group cascaded through Trivy, Checkmarx KICS, LiteLLM, and Telnyx before pivoting to the Mini Shai-Hulud npm and PyPI wave that poisoned over 400 packages in a single night in mid-May. The guardrails-ai infection on May 11 served as the direct precursor to the durabletask attack — the group reusing and refining the same payload architecture each time.

What makes TeamPCP analytically notable is the architectural decision to chain multiple compromises sequentially — where each foothold yields the specific credentials needed to compromise the next target. This isn't spray-and-pray malware. Each package is chosen because it lives in a sensitive part of a development pipeline.

What Security Teams Must Do Now

  1. Find the exposure: Search lockfiles and CI logs for durabletask versions 1.4.1, 1.4.2, or 1.4.3. Look for /tmp/managed.pyz or /tmp/rope-*.pyz on Linux hosts.
  2. Check for execution: The infection marker lives at ~/.cache/.sysupdate-check (general) and ~/.cache/.sysupdate-check-k8s (Kubernetes). Its presence confirms the payload ran.
  3. Rotate everything: AWS IAM credentials, Azure service principals, GCP service accounts, Kubernetes service accounts, Vault tokens, and any passwords that lived in Bitwarden, 1Password, or shell history. Treat all of these as already exfiltrated.
  4. Audit SSM and Kubernetes: Check CloudTrail for SSM:SendCommand and SSM:DescribeInstanceInformation calls. Review Kubernetes audit logs for unexpected kubectl exec activity.
  5. Block C2 infrastructure: At DNS or proxy level, block check.gitservice.com and t.m-kosche.com, and outbound connections to the exfil endpoints /v1/models, /audio.mp3, and /api/public/version.
  6. Enforce lockfile hashes: Going forward, validate every PyPI package against known-good hashes. A compromised publishing token — not a vulnerability in your code — is all it takes for the next wave.

The clean versions of durabletask (v1.4.0 and below) are unaffected. Given TeamPCP's cadence in 2026, this will not be the last package to carry rope.pyz — the question is which trusted dependency gets hollowed out next.

Post a Comment