Microsoft's Durabletask Package on PyPI Compromised in Major Supply Chain Attack
Key Takeaways
- ▸Three compromised versions of Microsoft's durabletask package contain a silent dropper that executes remote payloads at import time, with no visible user indicators
- ▸The second-stage payload is an infostealer and worm that targets cloud credentials, password managers, and developer tools with multi-cloud propagation capabilities (AWS SSM, Kubernetes)
- ▸The attack is highly sophisticated with multiple entry points across the package and environmental checks to maximize effectiveness while avoiding detection in sandboxes
Summary
Three malicious versions of Microsoft's durabletask package (1.4.1, 1.4.2, 1.4.3) have been discovered on PyPI containing a sophisticated dropper mechanism injected directly into the Python source code. When developers install and import the library, the dropper silently fetches and executes a second-stage payload from a newly registered C2 domain (check.git-service.com), running completely undetected in a detached background process.
The second-stage payload, delivered as a Python zipapp named rope.pyz, is a full-featured infostealer and worm designed to target cloud developers. It harvests credentials from major cloud providers (AWS, Azure, GCP), password managers, and developer tools, encrypts them with an attacker-controlled RSA key, and exfiltrates them to the command and control server. The payload includes sophisticated propagation capabilities, automatically spreading to other EC2 instances via AWS Systems Manager (SSM) and to other nodes in Kubernetes clusters via kubectl exec.
The durabletask package is a Python implementation of Microsoft's Durable Task Framework, a workflow orchestration library commonly used in cloud-native environments for automation, CI/CD pipelines, and Azure-integrated workloads. The malicious dropper is Linux-only with checks to avoid execution in sandboxed environments and Russian-locale systems. The C2 domain was registered only three days before this analysis, indicating an active, ongoing campaign targeting infrastructure professionals with high-privilege access to enterprise cloud environments.
- The C2 infrastructure was registered only three days before the analysis, indicating this is an active, targeted campaign with possible attribution to threat group TeamPCP
Editorial Opinion
This supply chain attack represents a critical vulnerability in the Python ecosystem's package distribution infrastructure. The targeting of a workflow orchestration library used in cloud-native CI/CD and infrastructure automation is particularly dangerous, as compromised credentials could grant attackers broad access to enterprise cloud environments. The sophisticated payload design—including multi-cloud propagation, credential harvesting, and environment-aware operational security—indicates this is a well-resourced operation with substantial expertise. Organizations using the affected durabletask versions must immediately rotate all credentials that may have been exposed to these systems.
