{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/durabletask-1.4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["durabletask (1.4.1)","durabletask (1.4.2)","durabletask (1.4.3)"],"_cs_severities":["high"],"_cs_tags":["supply-chain","credential-theft","pypi"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 19, 2026, Wiz reported that TeamPCP compromised the official Microsoft Python client for the Durable Task workflow execution framework, durabletask, specifically versions 1.4.1, 1.4.2, and 1.4.3. This supply chain attack involves a malicious payload similar to previous TeamPCP compromises. Upon execution, the payload targets a wide array of cloud credentials including those for AWS, Azure, GCP, Kubernetes, and Vault. It also attempts to brute-force passwords stored in Bitwarden, 1Password, and pass/gopass, and exfiltrates sensitive shell history files. This campaign matters because it allows attackers to gain unauthorized access to cloud infrastructure, escalate privileges, and potentially compromise entire environments. The worm can propagate to up to 5 targets per infected host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer or system administrator installs a compromised version (1.4.1, 1.4.2, or 1.4.3) of the \u003ccode\u003edurabletask\u003c/code\u003e PyPi package.\u003c/li\u003e\n\u003cli\u003eThe compromised package executes malicious code from \u003ccode\u003e__init__.py\u003c/code\u003e or \u003ccode\u003etask.py\u003c/code\u003e (depending on the durabletask version) which downloads a payload, either \u003ccode\u003etransformers.pyz\u003c/code\u003e or \u003ccode\u003erope.pyz\u003c/code\u003e, to \u003ccode\u003e/tmp/managed.pyz\u003c/code\u003e or \u003ccode\u003e/tmp/rope-*.pyz\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA Python interpreter executes the downloaded payload using \u003ccode\u003epython3 /tmp/managed.pyz\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emanaged.pyz\u003c/code\u003e payload attempts to steal credentials for AWS, Azure, GCP, Kubernetes, and Vault, as well as passwords stored in Bitwarden, 1Password, and pass/gopass.\u003c/li\u003e\n\u003cli\u003eThe payload also attempts to brute-force unlock password managers using harvested passwords from environment variables and shell history (.bash_history, .zsh_history).\u003c/li\u003e\n\u003cli\u003eThe payload exfiltrates collected credentials and shell history to the C2 server via endpoints like \u003ccode\u003e/api/public/version\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware attempts to propagate laterally to other systems (up to 5 targets per host) via AWS SSM (using \u003ccode\u003eSSM:SendCommand\u003c/code\u003e and \u003ccode\u003eSSM:DescribeInstanceInformation\u003c/code\u003e) and Kubernetes (using \u003ccode\u003ekubectl exec\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePersistence is established by creating an infection marker file, either \u003ccode\u003e~/.cache/.sys-update-check\u003c/code\u003e (AWS/general) or \u003ccode\u003e~/.cache/.sys-update-check-k8s\u003c/code\u003e (Kubernetes).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack allows TeamPCP to steal sensitive credentials for major cloud platforms (AWS, Azure, GCP), container orchestration systems (Kubernetes), and secrets management tools (Vault). The attackers also attempt to compromise password managers, and exfiltrate shell history for further reconnaissance. The malware propagates laterally to up to 5 targets per infected host, potentially leading to widespread compromise within an organization\u0026rsquo;s cloud infrastructure. Success allows the attackers to steal data, escalate privileges, and deploy ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSearch lockfiles and CI logs for \u003ccode\u003edurabletask\u003c/code\u003e versions 1.4.1, 1.4.2, or 1.4.3 to identify potential exposure.\u003c/li\u003e\n\u003cli\u003eLook for \u003ccode\u003e/tmp/managed.pyz\u003c/code\u003e or \u003ccode\u003e/tmp/rope-*.pyz\u003c/code\u003e on Linux systems as indicators of downloaded payloads (IOC filepath).\u003c/li\u003e\n\u003cli\u003eSearch for the infection marker \u003ccode\u003e~/.cache/.sys-update-check\u003c/code\u003e or \u003ccode\u003e~/.cache/.sys-update-check-k8s\u003c/code\u003e on affected systems to confirm payload execution (IOC filepath).\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains \u003ccode\u003echeck.git-service.com\u003c/code\u003e and \u003ccode\u003et.m-kosche.com\u003c/code\u003e at the DNS/proxy level (IOC domain).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003epython3 /tmp/managed.pyz\u003c/code\u003e to identify running malicious payloads, and deploy the Sigma rule provided below (rule: \u003ccode\u003eDetect Suspicious Python Payload Execution\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for outbound traffic to the exfil endpoints \u003ccode\u003e/v1/models\u003c/code\u003e, \u003ccode\u003e/audio.mp3\u003c/code\u003e, and \u003ccode\u003e/api/public/version\u003c/code\u003e (IOC url).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T18:21:44Z","date_published":"2026-05-19T18:21:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-teampcp-durabletask/","summary":"TeamPCP compromised the PyPi package durabletask (versions 1.4.1, 1.4.2, and 1.4.3), stealing credentials for AWS, Azure, GCP, K8s, and Vault, brute-forcing passwords from password managers, and exfiltrating shell history before propagating to up to 5 targets via AWS SSM and Kubernetes.","title":"TeamPCP Compromises PyPi Package durabletask","url":"https://feed.craftedsignal.io/briefs/2026-05-teampcp-durabletask/"}],"language":"en","title":"CraftedSignal Threat Feed — Durabletask (1.4.3)","version":"https://jsonfeed.org/version/1.1"}