Microsoft Python Client DurableTask Compromised by TeamPCP Hackers

Discover more Home security systems Ransomware protection Computer Security HomeCyber Attack News Microsoft Python Client DurableTask Compromised by TeamPCP Hackers By Abinaya May 20, 2026 Three consecutive releases of Microsoft’s official Python workflow SDK were poisoned with a multi-cloud credential-stealing worm, continuing the group’s relentless 2026 supply chain campaign. The TeamPCP threat group has struck again this time targeting durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Security researchers at Wiz disclosed that versions v1.4.1, v1.4.2, and v1.4.3 of the package were compromised and contained a worm-like malware payload. PyPI has since quarantined all three versions following Wiz’s analysis. TeamPCP Hacks DurableTask Client TeamPCP (also tracked as PCPcat and DeadCatx3) has been one of the most active supply chain threat actors of 2026. Their campaign, codenamed Mini Shai-Hulud, began in early March with the compromise of Aqua Security’s Trivy scanner, then cascaded to Checkmarx GitHub Actions, LiteLLM, Telnyx, and dozens of npm packages. Most recently, the group compromised more than 300 packages across the @antv npm ecosystem on May 19, 2026. Wiz Research said in a report shared with Cyber Security News that the durabletask attack occurred just days after the group compromised guardrails-ai on May 11, with the infection chain traced back to the previously reported @antv wave. A GitHub user account implicated in that wave was identified as having also targeted the microsoft/durabletask-python repository, with attack activity logged between 15:08 UTC and 15:16 UTC. GitHub account targeted the microsoft/durabletask-python repository between 15:08 UTC and 15:16 UTC(source: Wiz) During this window, the attacker copied the latest legitimate commit message from the main branch to disguise malicious activity. The attacker had compromised the GitHub account through an earlier operation, then dumped GitHub Secrets from repositories the account had access to. Among those secrets was a PyPI publishing token, which granted direct ability to push malicious releases to the official PyPI registry, bypassing code review entirely. The dropped malware, rope.pyz, is a direct evolution of transformers.pyz used in the guardrails-ai compromise. The payload targets Linux systems only and injects itself across multiple entry points : task.py, entities/__init__.py, extensions/__init__.py, and payload/__init__.py  , giving it more execution paths than prior versions. Once triggered, the malware performs a sweeping credential theft operation, targeting: AWS IAM credentials, Azure service accounts, and GCP tokens. Kubernetes service accounts and HashiCorp Vault tokens. Bitwarden, 1Password, and pass/gopass brute-forced using harvested passwords. Shell history files (.bash_history, .zsh_history) for additional secrets. The worm then propagates via AWS SSM and Kubernetes lateral movement, spreading to up to five additional targets per infected host. The C2 infrastructure has also matured, shifting from raw IP to domain-based servers (check.git-service.com with backup t.m-kosche.com), with SSL verification now enabled. Indicators of Compromise: Type Indicator C2 Domain (Primary) check.git-service[.]com C2 Domain (Secondary) t.m-kosche[.]com Payload File /tmp/rope-*.pyz Infection Marker (General) ~/.cache/.sys-update-check Infection Marker (K8s) ~/.cache/.sys-update-check-k8s Hash – rope.pyz 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce Hash – durabletask-1.4.1.whl 7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8 Legacy C2 IP 83.142.209.194 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. What Security Teams Must Do Now: Search immediately: Audit lockfiles and CI logs for durabletask versions 1.4.1, 1.4.2, or 1.4.3. Check for /tmp/rope-*.pyz on Linux hosts. Check infection markers: Look for the ~/.cache/.sys-update-check directory and running python3 /tmp/managed.pyz processes to confirm payload execution. Rotate all credentials:  AWS IAM keys, Azure, GCP, Kubernetes service accounts, Vault tokens, and any passwords stored in Bitwarden or 1Password should be treated as compromised. Audit AWS SSM and Kubernetes: Review CloudTrail for SSM:SendCommand calls and Kubernetes audit logs for unexpected kubectl exec activity. Block C2 infrastructure: Deny DNS and proxy access to check.git-service.com and t.m-kosche.com; block outbound traffic to /v1/models, /audio.mp3, and /api/public/version endpoints. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks Mythos Preview Builds PoC Exploits in Automated Vulnerability Research Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave Critical MongoDB Vulnerability Allow Attackers to Execute Arbitrary Code Latest News Cyber Security News GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure Cyber Security News Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability Cyber Security News New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code Cyber Security News Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware Cyber Attack News GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device