Cybercrime

TeamPCP Poisons Microsoft’s Official Python DurableTask SDK — Multi-Cloud Credential Worm Hits PyPI

dark6 27 May 2026
Read Time:3 Minute, 48 Second

The TeamPCP threat group — also tracked as PCPcat and DeadCatx3 — has struck again, this time targeting durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Security researchers at Wiz disclosed that versions v1.4.1, v1.4.2, and v1.4.3 of the package were compromised and contained a worm-like malware payload capable of stealing multi-cloud credentials and propagating laterally across cloud infrastructure. PyPI has since quarantined all three versions following Wiz’s analysis.

A Campaign That Never Stops

TeamPCP has been one of the most relentlessly active supply chain threat actors of 2026. Their campaign, codenamed Mini Shai-Hulud, began in early March with the compromise of Aqua Security’s Trivy scanner and cascaded to Checkmarx GitHub Actions, LiteLLM, Telnyx, and dozens of npm packages. Most recently, the group compromised more than 300 packages across the @antv npm ecosystem on May 19, 2026 — just one day before this latest attack on Microsoft’s Python SDK was reported.

The durabletask attack was traced back to the previously reported @antv wave. A GitHub user account implicated in that wave was identified as having also targeted the microsoft/durabletask-python repository, with attack activity logged between 15:08 UTC and 15:16 UTC on May 19. During this window, the attacker carefully copied the latest legitimate commit message from the main branch to disguise malicious activity.

How the Attack Worked

The attacker had already compromised the victim GitHub account through an earlier operation and had subsequently dumped GitHub Secrets from repositories accessible to that account. Among those secrets was a PyPI publishing token, which granted the ability to push malicious releases to the official PyPI registry — bypassing code review entirely.

The dropped malware, named rope.pyz, is a direct evolution of the transformers.pyz payload used in the earlier guardrails-ai compromise. The payload targets Linux systems only and injects itself across multiple entry points within the package:

  • task.py
  • entities/__init__.py
  • extensions/__init__.py
  • payload/__init__.py

This multi-path injection strategy gives the malware more execution opportunities than prior versions, making it more reliable in triggering on diverse developer environments.

Massive Credential Theft Capabilities

Once triggered, the malware performs a sweeping credential theft operation, targeting credentials across virtually every major cloud platform and secrets management tool:

  • AWS IAM credentials, Azure service accounts, and GCP tokens
  • Kubernetes service accounts and HashiCorp Vault tokens
  • Bitwarden, 1Password, and pass/gopass vaults (brute-forced using harvested passwords)
  • Shell history files (.bash_history, .zsh_history) for additional secrets

After stealing credentials, the worm propagates via AWS SSM and Kubernetes lateral movement, spreading to up to five additional targets per infected host. This self-spreading behavior makes it particularly dangerous in cloud-native environments where multiple teams share infrastructure.

Evolving Infrastructure

The C2 infrastructure has also matured compared to earlier Mini Shai-Hulud waves, shifting from raw IP addresses to domain-based servers (check.git-service.com with backup t.m-kosche.com), with SSL verification now enabled. This suggests the group is actively refining their operational security to avoid detection and infrastructure takedowns.

Indicators of Compromise

Organizations using the durabletask Python package should immediately check for the following indicators of compromise:

  • Package versions v1.4.1, v1.4.2, or v1.4.3 in lockfiles or CI logs
  • File /tmp/rope-*.pyz on Linux hosts
  • Directory ~/.cache/.sys-update-check or ~/.cache/.sys-update-check-k8s
  • Running python3 /tmp/managed.pyz processes
  • Outbound DNS or HTTP traffic to check.git-service.com or t.m-kosche.com

Immediate Response Steps

Wiz Research, which shared their findings with Cyber Security News, has recommended the following immediate steps for security teams:

  • Audit immediately: Check lockfiles and CI logs for affected durabletask versions and look for /tmp/rope-*.pyz on Linux hosts.
  • Rotate all credentials: AWS IAM keys, Azure credentials, GCP tokens, Kubernetes service accounts, Vault tokens, and any passwords stored in password managers should be treated as compromised.
  • Review AWS SSM and Kubernetes activity: Check CloudTrail for SSM:SendCommand calls and Kubernetes audit logs for unexpected kubectl exec activity.
  • Block C2 infrastructure: Deny DNS and proxy access to check.git-service.com and t.m-kosche.com.

The compromised packages have been removed from PyPI, but any developer or CI/CD pipeline that installed the affected versions between May 19 and May 20, 2026 should assume a full compromise and take immediate remediation steps. This incident underscores the urgent need for package integrity verification, strict token management, and audit logging in all modern software supply chains.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su TeamPCP Poisons Microsoft’s Official Python DurableTask SDK — Multi-Cloud Credential Worm Hits PyPI, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community