Microsoft durabletask PyPI hit by Mini Shai-Hulud

Microsoft's official Python SDK for Azure Durable Functions, the PyPI package durabletask, briefly shipped with a credential stealer on May 19, 2026, after attackers used a stolen publishing token to push three back-to- back malicious releases directly to the package index — bypassing the project's GitHub-based release pipeline entirely.

durabletask sees roughly 400,000 PyPI downloads per month. Researchers at StepSecurity and Wiz, who jointly reconstructed the incident, said versions 1.4.1, 1.4.2, and 1.4.3 were published inside a 35-minute window before a public report and an Amazon Inspector advisory prompted Microsoft to yank them. None of the three malicious versions had a matching tag, release, or CI/CD run in microsoft/durabletask-python. Wiz traced the publishing credential to a contributor GitHub account previously implicated in the @antv npm wave earlier that morning, and said the attackers copied the latest legitimate commit message to disguise the upload while pulling the PyPI token from GitHub repository secrets.

Each release embedded the dropper a little deeper. Version 1.4.1 patched only __init__.py. 1.4.2 added a task.py. 1.4.3 spread the loader across entities/, extensions/, and payload/ __init__.py files. According to StepSecurity, the 14-line dropper ran at import time on Linux and fetched a 28 KB second stage called rope.pyz from check.git-service.com, a domain registered through NameSilo three days earlier.

rope.pyz was an industrial-grade collector. StepSecurity catalogued more than 90 on-disk credential paths covering AWS, Azure, GCP, Kubernetes, HashiCorp Vault, GitHub, Docker, SSH, infrastructure-as-code state for Terraform, Ansible, and Pulumi, shell histories, AI-tooling configurations for Claude, Cursor, VS Code MCP, and Codeium, and the 1Password, Bitwarden, pass, and gopass command-line tools. Persistence wrote /tmp/managed.pyz, installed a systemd unit called pgsql-monitor.service to mimic a database agent, and marked infected hosts with a ~/.cache/.sys-update-check file.

The propagation logic resembled TeamPCP's other 2026 waves. Where the payload found AWS credentials, it issued SSM SendCommand calls against up to five EC2 instances per profile. Where it found a kubeconfig, it ran kubectl exec into up to five pods per cluster. Stolen material flowed out over three parallel channels: HTTPS POSTs to the C2, GitHub commit beacons under the FIRESCALE tag using victim tokens, and public repositories created on stolen GitHub accounts named for Russian folklore figures — BABA-YAGA, KOSCHEI, FIREBIRD, RUSALKA, MOROZKO, and LESHY. The malware skipped Russian-locale systems, skipped hosts with two or fewer CPU cores, and routed its output to /dev/null. A roulette.py module inspected locale settings for Israeli and Iranian indicators and, when it matched, played an audio file and ran rm -rf /* with a one-in-six probability.

Amazon Inspector flagged the packages as MAL-2026-4174. A public report landed in microsoft/durabletask-python issue #137 at 17:54 UTC. Microsoft yanked all three versions ten minutes later. Researchers tied the operation to TeamPCP's broader Mini Shai-Hulud activity through shared t.m-kosche.com infrastructure and the folklore-naming pattern, even though durabletask was a Python package rather than the @tanstack/setup Node module that drove the May 11 wave. The cross-ecosystem aggregate lives on [[shai-hulud-here-we-go-again]]; this record holds the durabletask-specific evidence.

Motive

Credential Theft Data Exfiltration

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• Locationdistribution: pypi.org/project/durabletask
• Locationmirror: github.com/microsoft/durabletask-python/issues/137
• file_sha256rope.pyz: 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce
• file/tmp/managed.pyz
• file/tmp/rope-*.pyz
• file/tmp/.rope_state/ssm_instances.json
• file~/.cache/.sys-update-check
• file~/.cache/.sys-update-check-k8s
• filepgsql-monitor.service
• fileroulette.py
• domaincheck.git-service.com
• domaint.m-kosche.com
• ipv4160.119.64.3
• ipv483.142.209.194
• repositoryBABA-YAGA
• repositoryKOSCHEI
• repositoryFIREBIRD
• repositoryRUSALKA
• repositoryMOROZKO
• repositoryLESHY
• tagFIRESCALE
• advisoryMAL-2026-4174
• advisorySNYK-PYTHON-DURABLETASK-16761538
• Hashsha256:7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8
• Hashsha256:aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5
• Hashsha256:877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec

• StepSecurity timed the three malicious uploads at 16:19-16:54 UTC, disclosure at 17:54 UTC, and Microsoft's yank at 18:04 UTC on 2026-05-19. Wiz reported a separate 15:08-15:16 UTC attacker activity window against the durabletask-python repository, consistent with GitHub-secret exfiltration before the PyPI publish.
• Wiz tied the entry point to a compromised contributor account previously seen in the @antv wave; Aikido qualified the TeamPCP attribution as likely but unconfirmed, while Wiz and StepSecurity attributed it directly.
• Snyk reported approximately 103,000 weekly downloads and 1.7 million lifetime downloads for durabletask; StepSecurity reported roughly 400,000 monthly downloads. No confirmed install-victim count is published.

• Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack - StepSecuritystepsecurity.io
• durabletask Package Compromised - Mini Shai-Huludaikido.dev
• durabletask PyPI Supply Chain Attack - Snyksnyk.io
• durabletask TeamPCP Supply Chain Attack - Wizwiz.io