TeamPCP Hackers Compromise Microsoft Python Client DurableTask

A multi-cloud credential-stealing worm infected three consecutive releases of Microsoft’s official Python workflow SDK, marking a continuation of the group’s relentless 2026 supply chain campaign.

The TeamPCP threat group has struck again this time targeting durabletask, the official Microsoft Python client for the Durable Task workflow execution framework.

Security researchers at Wiz disclosed that versions v1.4.1, v1.4.2, and v1.4.3 of the package were compromised and contained a worm-like malware payload. PyPI has since quarantined all three versions following Wiz’s analysis.

TeamPCP Hacks DurableTask Client

TeamPCP (also tracked as PCPcat and DeadCatx3) has been one of the most active supply chain threat actors of 2026.

Their campaign, codenamed Mini Shai-Hulud, began in early March with the compromise of Aqua Security’s Trivy scanner, then cascaded to Checkmarx GitHub Actions, LiteLLM, Telnyx, and dozens of npm packages.

Most recently, the group compromised more than 300 packages across the @antv npm ecosystem on May 19, 2026.

Wiz Research said in a report shared with Cyber Security News that the durabletask attack occurred just days after the group compromised guardrails-ai on May 11, with the infection chain traced back to the previously reported @antv wave.

A GitHub user account implicated in that wave was identified as having also targeted the microsoft/durabletask-python repository, with attack activity logged between 15:08 UTC and 15:16 UTC.

During this window, the attacker copied the latest legitimate commit message from the main branch to disguise malicious activity.

The attacker had compromised the GitHub account through an earlier operation, then dumped GitHub Secrets from repositories the account had access to.

Among those secrets was a PyPI publishing token, which granted direct ability to push malicious releases to the official PyPI registry, bypassing code review entirely.

The dropped malware, rope.pyz, is a direct evolution of transformers.pyz used in the guardrails-ai compromise.

The payload targets Linux systems only and injects itself across multiple entry points : task.py, entities/__init__.py, extensions/__init__.py, and payload/__init__.py  , giving it more execution paths than prior versions.

Once triggered, the malware performs a sweeping credential theft operation, targeting:

• AWS IAM credentials, Azure service accounts, and GCP tokens.
• Kubernetes service accounts and HashiCorp Vault tokens.
• Bitwarden, 1Password, and pass/gopass brute-forced using harvested passwords.
• Shell history files (.bash_history, .zsh_history) for additional secrets.

The worm then propagates via AWS SSM and Kubernetes lateral movement, spreading to up to five additional targets per infected host.

The C2 infrastructure has also matured, shifting from raw IP to domain-based servers (check.git-service.com with backup t.m-kosche.com), with SSL verification now enabled.

Indicators of Compromise:

What Security Teams Must Do Now:

1. Search immediately: Audit lockfiles and CI logs for durabletask versions 1.4.1, 1.4.2, or 1.4.3. Check for /tmp/rope-*.pyz on Linux hosts.
2. Check infection markers: Look for the ~/.cache/.sys-update-check directory and running python3 /tmp/managed.pyz processes to confirm payload execution.
3. Rotate all credentials:  AWS IAM keys, Azure, GCP, Kubernetes service accounts, Vault tokens, and any passwords stored in Bitwarden or 1Password should be treated as compromised.
4. Audit AWS SSM and Kubernetes: Review CloudTrail for SSM:SendCommand calls and Kubernetes audit logs for unexpected kubectl exec activity.
5. Block C2 infrastructure: Deny DNS and proxy access to check.git-service.com and t.m-kosche.com; block outbound traffic to /v1/models, /audio.mp3, and /api/public/version endpoints.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.