TeamPCP: Supply Chain Attack Compromises Microsoft DurableTask Python Client

The software supply chain landscape has faced a sophisticated new escalation as the TeamPCP threat actor group successfully compromised the official Microsoft DurableTask Python client. This high-profile orchestration package, critical for managing complex workflows in Python-based cloud applications, served as the vehicle for a highly targeted distribution of malicious code.

Following deep forensic analysis by Wiz researchers, three specific versions of the durabletask package on PyPI—1.4.1, 1.4.2, and 1.4.3—were identified as trojanized. These versions have since been quarantined by PyPI administrators. This incident underscores a growing trend where attackers bypass hardened infrastructure by targeting the developer ecosystem and CI/CD pipelines directly.

The breach is intrinsically linked to a previous campaign targeting the @antv ecosystem, suggesting a persistent and evolving campaign by TeamPCP. The point of entry was not a breach of PyPI itself, but rather the hijacking of a GitHub user account with legitimate write access to the microsoft/durabletask-python repository. By analyzing recent commit histories and leveraging the victim’s existing permissions, the attackers successfully exfiltrated sensitive repository secrets, most notably a PyPI authentication token stored within GitHub Actions secrets. This allowed the threat actors to publish poisoned versions of the package directly to the official index.

Technical Analysis of the Malicious Payload

The payload represents a significant architectural evolution from previous malware seen in the guardrails-ai ecosystem. The attackers have transitioned from simple data exfiltration to a comprehensive toolkit designed for cloud credential harvesting and automated lateral movement.

The malicious logic is delivered via a compressed rope.pyz payload, which is injected into core package files including __init__.py, task.py, and various submodules. Once the compromised package is imported and executed on a Linux-based environment, the malware initiates a multi-stage attack lifecycle:

  • Credential Harvesting: The malware aggressively scans for environment variables and local configuration files associated with AWS, Azure, GCP, Kubernetes, and HashiCorp Vault. It also targets local file systems for stored passwords and sensitive shell history.
  • Worm-like Propagation: Unlike static malware, this payload includes a propagation engine that utilizes AWS Systems Manager (SSM) and Kubernetes APIs to attempt lateral movement, targeting up to five additional nodes per infected host.
  • Automated Brute-Forcing: By scraping .bash_history and .zsh_history, the malware extracts potential passwords to attempt automated unlocking of credential managers such as Bitwarden, 1Password, and GPG keys.

The malware establishes communication with Command-and-Control (C2) infrastructure via check.git-service.com, with t.m-kosche.com serving as a secondary fallback. To maintain persistence and track successful infections, it drops a marker file at ~/.cache/.sys-update-check.

Incident Response and Mitigation Strategies

Security operations teams should treat this as a high-severity incident. Immediate action is required to identify and neutralize the threat within your environment.

1. Detection and Identification

Immediately audit all requirements.txt, pyproject.toml, or Pipfile dependencies for the following versions of durabletask: 1.4.1, 1.4.2, or 1.4.3. On Linux endpoints, perform a hunt for the following indicators of compromise (IoCs):

  • Filesystem: /tmp/managed.pyz, /tmp/rope-*.pyz, and ~/.cache/.sys-update-check.
  • Processes: Suspicious child processes running python3 /tmp/managed.pyz.

2. Containment and Remediation

If an infection is confirmed, assume all local and cloud-based secrets are compromised. A full rotation of credentials is mandatory:

  • Cloud Infrastructure: Rotate AWS IAM roles, Azure Service Principals, GCP Service Accounts, and Kubernetes tokens.
  • Secret Management: Invalidate and reissue all HashiCorp Vault tokens and rotate any passwords stored in Bitwarden or 1Password.
  • Network Layer: Block outbound traffic to the identified C2 domains.

3. Forensic Auditing

Post-remediation, conduct a deep audit of your infrastructure logs. Specifically, examine AWS CloudTrail for anomalous SSM activity and Kubernetes audit logs for unauthorized kubectl exec commands that may indicate lateral movement attempts.

To prevent recurrence, organizations should adopt a “Zero Trust” approach to third-party dependencies, implementing strict GitHub Actions secret scoping and utilizing dependency scanning tools to catch unauthorized version jumps in the CI/CD pipeline.

Related Articles

Back to top button