Listen to this Post
Introduction
A major software supply chain incident has shaken the Python ecosystem after attackers compromised the official Microsoft Durable Task Python client on PyPI. The malicious activity is linked to the threat actor group TeamPCP, known for running the widespread Mini Shai-Hulud campaign. With hundreds of thousands of monthly downloads, the incident demonstrates how quickly trusted developer tools can be turned into large-scale attack vectors. The attack highlights once again that even well-maintained enterprise projects are not immune to credential theft, CI/CD bypass techniques, and multi-cloud malware payloads.
Summary of the Incident
The attack began when TeamPCP successfully compromised publishing credentials tied to Microsoft’s Durable Task Python client, a workflow execution framework widely used in distributed systems. Between May 19, 2026, three malicious package versions were uploaded to PyPI, specifically durabletask 1.4.1, 1.4.2, and 1.4.3. These versions were published within a short 35-minute window before being discovered and quarantined by security researchers.
The compromised package receives more than 400,000 downloads each month, significantly increasing the blast radius of the attack. Investigations by Wiz researchers connected the intrusion to a broader supply chain wave previously associated with the @antv ecosystem compromise, revealing a pattern of reused attacker infrastructure and stolen credentials.
The attackers bypassed Microsoft’s official CI/CD pipeline entirely by exploiting a stolen PyPI API token extracted from GitHub Actions secrets. This allowed them to publish malicious builds directly using twine, leaving no trace of legitimate GitHub tags or workflow execution for the compromised versions.
A newly registered command and control domain, check.git-service.com, was created only days before the attack, signaling premeditation. The malware itself is relatively small in its initial stage, just 14 lines of Python, but it downloads a second-stage payload called rope.pyz from the C2 server and executes multiple detached processes to ensure persistence and stealth.
The payload expands into a larger 28 KB Python zip application containing multiple modules designed for broad credential harvesting. It targets AWS, Azure, Google Cloud Platform, Kubernetes environments, and HashiCorp Vault, as well as local secrets stored in shell history files and developer environments.
The malware also includes propagation capabilities, using AWS SSM SendCommand and kubectl exec to spread laterally across up to five additional targets per infected host. Infection markers are placed in hidden cache directories to avoid re-infection.
Further analysis revealed a secondary C2 domain tied directly to TeamPCP infrastructure, confirming the connection to the Mini Shai-Hulud campaign. Previous victims of this campaign include multiple open source ecosystems and security vendors, making this one of the most aggressive supply chain operations observed in 2026.
What Undercode Say:
The compromise of Microsoft’s Durable Task Python client is not just another isolated supply chain incident, it is a demonstration of how mature open source ecosystems are now prime targets for hybrid identity and infrastructure attacks. The attackers did not exploit a traditional software vulnerability in code logic, but instead focused on identity compromise, which is increasingly the weakest link in modern DevOps pipelines.
The most alarming aspect is the bypass of CI/CD pipelines. By stealing a PyPI API token from GitHub Actions secrets, the attackers effectively eliminated the need to tamper with source code repositories or trigger legitimate builds. This reflects a shift in attacker behavior toward targeting automation secrets rather than application logic.
The payload design also shows a clear evolution in malware engineering. Instead of deploying a single monolithic payload, the attackers used a staged architecture. The initial dropper is minimal, reducing detection risk, while the secondary payload expands into a full credential harvesting framework capable of accessing multi-cloud environments simultaneously.
Another important observation is the breadth of credential targeting. AWS, Azure, and GCP are all included in a single payload, which suggests that attackers are no longer assuming homogeneous infrastructure. Modern enterprise environments are hybrid by default, and the malware reflects that reality by attempting universal cloud compromise in one execution cycle.
The lateral movement strategy is particularly concerning. By using AWS SSM SendCommand and Kubernetes exec operations, the malware leverages legitimate administrative tools instead of custom propagation methods. This makes detection significantly harder because the traffic blends into normal DevOps operations.
The use of infection markers in hidden filesystem paths is a classic persistence strategy, but its inclusion alongside cloud-native propagation shows a dual approach: local persistence combined with distributed cloud spread. This increases survivability even if part of the infrastructure is cleaned.
The connection to the Mini Shai-Hulud campaign indicates this is not a one-off event but part of a coordinated long-term operation. The reuse of infrastructure, naming conventions, and C2 patterns suggests a mature threat group capable of sustained supply chain infiltration across multiple ecosystems.
From a defensive standpoint, the most critical failure point is secret management. GitHub Actions secrets, PyPI tokens, and CI environment variables remain high-value targets. Once compromised, they enable silent injection into trusted distribution channels without triggering traditional security alerts.
This attack also reinforces the growing importance of package provenance verification. Organizations relying solely on package version numbers or publisher identity without cryptographic validation are exposed to silent compromise risks.
Finally, the scale of downstream exposure is massive. With hundreds of thousands of downloads per month, even a short-lived malicious version window is enough to compromise global infrastructure pipelines before detection and remediation occur.
Fact Checker Results
✔ The attack aligns with known supply chain compromise patterns involving stolen CI/CD secrets and package injection.
✔ Multiple malicious versions were reportedly published in a short time window before quarantine action.
✔ Attribution to TeamPCP and Mini Shai-Hulud is consistent with previously documented infrastructure reuse patterns.
Prediction
This incident suggests supply chain attacks will increasingly shift away from code exploitation and toward identity compromise inside developer platforms. Future campaigns will likely automate token theft from CI/CD systems and reuse them across multiple package ecosystems. As dependency networks grow, even short-lived malicious releases will continue to have long-lasting downstream impact across cloud and enterprise infrastructure.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
