TeamPCP Poisons Microsoft durabletask PyPI Package

AI relevance: DurableTask is used in AI workflow orchestration pipelines; the poisoned payload steals cloud credentials and propagates through AWS SSM and Kubernetes — the exact infrastructure that powers AI agent deployments at scale.

• TeamPCP (also tracked as PCPcat and DeadCatx3) compromised versions v1.4.1, v1.4.2, and v1.4.3 of Microsoft's official durabletask Python client on PyPI. All three were quarantined after Wiz analysis.
• The attack chain traces back to the @antv npm supply-chain wave. A GitHub account used in that compromise was also found targeting microsoft/durabletask-python between 15:08–15:16 UTC, copying legitimate commit messages to mask activity.
• The attacker dumped GitHub repository secrets to obtain a PyPI publishing token, bypassing code review and pushing malicious releases directly.
• The malware payload rope.pyz is an evolution of the transformers.pyz used in the May 11 guardrails-ai compromise. It injects into four entry points: task.py, entities/__init__.py, extensions/__init__.py, and payload/__init__.py.
• Targets Linux exclusively. Steals AWS IAM credentials, Azure service accounts, GCP tokens, Kubernetes service accounts, HashiCorp Vault tokens, and brute-forces Bitwarden/1Password/gopass password managers using harvested credentials.
• Worm propagation via AWS SSM (SendCommand) and Kubernetes lateral movement (kubectl exec), spreading to up to five additional targets per infected host.
• C2 infrastructure matured: shifted from raw IP to domain-based servers (check.git-service.com with backup t.m-kosche.com), with SSL verification now enabled — a significant operational security upgrade from prior versions.

Why it matters

This is the same Mini Shai-Hulud campaign that has already hit Aqua Security Trivy, Checkmarx GitHub Actions, LiteLLM, and 320+ @antv npm packages. Each new target demonstrates the group's ability to chain compromised credentials across ecosystems — from GitHub to npm to PyPI to cloud infrastructure. The worm's focus on AI-relevant infrastructure (Kubernetes, Vault, cloud IAM) makes every durabletask user a potential pivot point for further supply-chain compromise.

What to do

• Audit lockfiles and CI logs for durabletask versions 1.4.1–1.4.3. Check Linux hosts for /tmp/rope-*.pyz and infection markers at ~/.cache/.sys-update-check.
• Rotate all cloud credentials: AWS IAM keys, Azure, GCP, Kubernetes service accounts, Vault tokens, and password manager vaults.
• Review CloudTrail for SSM:SendCommand calls and Kubernetes audit logs for unexpected kubectl exec activity.
• Block C2 domains check.git-service.com and t.m-kosche.com at DNS/proxy level.

Sources

• Wiz: durabletask — TeamPCP's Latest PyPi Compromise
• StepSecurity: Microsoft's durabletask PyPI Package Compromised
• SecurityWeek: Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Attack
• Cyber Security News: Microsoft Python Client DurableTask Compromised