TeamPCP Compromises PyPi Package durabletask

On May 19, 2026, Wiz reported that TeamPCP compromised the official Microsoft Python client for the Durable Task workflow execution framework, durabletask, specifically versions 1.4.1, 1.4.2, and 1.4.3. This supply chain attack involves a malicious payload similar to previous TeamPCP compromises. Upon execution, the payload targets a wide array of cloud credentials including those for AWS, Azure, GCP, Kubernetes, and Vault. It also attempts to brute-force passwords stored in Bitwarden, 1Password, and pass/gopass, and exfiltrates sensitive shell history files. This campaign matters because it allows attackers to gain unauthorized access to cloud infrastructure, escalate privileges, and potentially compromise entire environments. The worm can propagate to up to 5 targets per infected host.

Attack Chain

1. A developer or system administrator installs a compromised version (1.4.1, 1.4.2, or 1.4.3) of the durabletask PyPi package.
2. The compromised package executes malicious code from __init__.py or task.py (depending on the durabletask version) which downloads a payload, either transformers.pyz or rope.pyz, to /tmp/managed.pyz or /tmp/rope-*.pyz.
3. A Python interpreter executes the downloaded payload using python3 /tmp/managed.pyz.
4. The managed.pyz payload attempts to steal credentials for AWS, Azure, GCP, Kubernetes, and Vault, as well as passwords stored in Bitwarden, 1Password, and pass/gopass.
5. The payload also attempts to brute-force unlock password managers using harvested passwords from environment variables and shell history (.bash_history, .zsh_history).
6. The payload exfiltrates collected credentials and shell history to the C2 server via endpoints like /api/public/version.
7. The malware attempts to propagate laterally to other systems (up to 5 targets per host) via AWS SSM (using SSM:SendCommand and SSM:DescribeInstanceInformation) and Kubernetes (using kubectl exec).
8. Persistence is established by creating an infection marker file, either ~/.cache/.sys-update-check (AWS/general) or ~/.cache/.sys-update-check-k8s (Kubernetes).

Impact

This supply chain attack allows TeamPCP to steal sensitive credentials for major cloud platforms (AWS, Azure, GCP), container orchestration systems (Kubernetes), and secrets management tools (Vault). The attackers also attempt to compromise password managers, and exfiltrate shell history for further reconnaissance. The malware propagates laterally to up to 5 targets per infected host, potentially leading to widespread compromise within an organization’s cloud infrastructure. Success allows the attackers to steal data, escalate privileges, and deploy ransomware.

Recommendation

• Search lockfiles and CI logs for durabletask versions 1.4.1, 1.4.2, or 1.4.3 to identify potential exposure.
• Look for /tmp/managed.pyz or /tmp/rope-*.pyz on Linux systems as indicators of downloaded payloads (IOC filepath).
• Search for the infection marker ~/.cache/.sys-update-check or ~/.cache/.sys-update-check-k8s on affected systems to confirm payload execution (IOC filepath).
• Block the C2 domains check.git-service.com and t.m-kosche.com at the DNS/proxy level (IOC domain).
• Monitor process creation events for python3 /tmp/managed.pyz to identify running malicious payloads, and deploy the Sigma rule provided below (rule: Detect Suspicious Python Payload Execution).
• Monitor network connections for outbound traffic to the exfil endpoints /v1/models, /audio.mp3, and /api/public/version (IOC url).