Microsoft DurableTask Python SDK PyPI Hijacking

On May 19, 2026, the official Microsoft durabletask Python SDK was compromised on PyPI. Threat actors used hijacked publishing credentials to directly upload malicious versions containing a cloud credential-harvesting payload.

Date:
Severity:
critical
Sources:
4
#pypi#package-compromise#supply-chain#credential-theft#microsoft#teampcp

Executive Summary

On May 19, 2026, the official Microsoft Python SDK durabletask (widely used for building stateful orchestrations in serverless and distributed environments) was compromised in a severe software supply chain attack StepSecurity Incident Registry. Attackers hijacked the PyPI publishing credentials (likely via a leaked API token or account takeover) and bypassed Microsoft’s source repository and build pipeline entirely Snyk Security Blog. They directly uploaded three compromised versions to PyPI: 1.4.1, 1.4.2, and 1.4.3 StepSecurity Incident Registry. The malicious packages contained a dropper payload designed to download and execute rope.pyz—a highly sophisticated, multi-stage credential harvesting and exfiltration framework attributed to the cybercrime group TeamPCP JFrog Security Research. The payload scraped developer workspaces, CI/CD runners, and active environment memories to steal AWS, Google Cloud, Azure, and Kubernetes secrets, exfiltrating them to TeamPCP-controlled C2 servers. CISA and Microsoft security teams intervened to yank the compromised releases and revoke the compromised token. Defenders must immediately purge their local PyPI caches, audit lockfiles, and rotate all secrets exposed during execution.

Key Facts

threat_type: "Registry-Only Malicious Package Upload & Credential Theft"
ecosystem: "pypi, python"
registry: "PyPI Registry"
affected_packages:
  - "durabletask"
malicious_versions:
  - "1.4.1"
  - "1.4.2"
  - "1.4.3"
fixed_versions:
  - "1.4.4"
safe_versions:
  - "1.4.0"
  - "1.4.4"
exposure_window: "2026-05-19T06:00:00Z to 2026-05-19T17:30:00Z"
execution_trigger: "Installing the package or executing workflows pulling versions 1.4.1 - 1.4.3 during runtime or testing"
primary_impact: "Host and runner memory scraping, secret harvesting, and automated C2 exfiltration"
known_iocs:
  - "rope[.]pyz"
  - "filev2.getsession[.]org"
  - "api.masscan[.]cloud"
confidence: "high"
canonical_source: "https://www.stepsecurity.io"

Source Confidence & Evidence Mapping

  • confirmed:
    • Malicious versions of durabletask published on PyPI were 1.4.1, 1.4.2, and 1.4.3. Source: StepSecurity Incident Registry
    • The attack bypassed Microsoft’s repository build pipelines and was uploaded using compromised registry publishing credentials. Source: Snyk Security Blog
    • The injected package acted as a dropper for the rope.pyz malicious framework. Source: JFrog Security Research
  • likely:
  • unclear:
    • Whether the credentials were stolen via developer workstation compromise or leaked through a public GitHub Action log. Source: JFrog Security Research

Timeline

  • 2026-05-19T06:00:00Z Attackers exploit a leaked PyPI token associated with the Microsoft package, uploading 1.4.1, 1.4.2, and 1.4.3 directly to PyPI. Source: StepSecurity Incident Registry
  • 2026-05-19T08:30:00Z Automated threat intelligence systems at StepSecurity detect abnormal library size expansion and anomalous package structural signatures. Source: StepSecurity Incident Registry
  • 2026-05-19T10:15:00Z Snyk and Microsoft Security teams begin analysis of the dropped file rope.pyz. Source: Snyk Security Blog
  • 2026-05-19T17:30:00Z PyPI administrators remove the malicious releases and invalidate the compromised publishing tokens. Source: StepSecurity Incident Registry

What Happened

On May 19, 2026, enterprise security teams running automated dependency scanners flagged an unexpected patch release for Microsoft’s durabletask library on PyPI StepSecurity Incident Registry. Inspection of the underlying PyPI metadata revealed that the releases were uploaded via a legacy API token rather than the standard OpenID Connect (OIDC) Trusted Publishing workflow that Microsoft normally enforces for its SDK builds Snyk Security Blog. Inside the package archives, analysts discovered a modified setup file that executed dynamically on installation, dropping an executable archive named rope.pyz JFrog Security Research. The dropper bypassed Microsoft’s official GitHub repository, leaving the source code completely clean but leaving anyone who pulled the latest version from PyPI vulnerable StepSecurity Incident Registry. PyPI administrators quickly deleted the compromised releases and revoked all active publisher tokens for the package StepSecurity Incident Registry.

Technical Analysis

Initial Access

Initial access was achieved using compromised registry publishing credentials Snyk Security Blog. Threat actors either obtained a leaked PyPI API token from an exposed workstation or leveraged an active credential harvested during earlier stages of their campaign against other projects StepSecurity Incident Registry.

Package or Artifact Manipulation

The repository microsoft/durabletask-python remained completely unaffected. The attackers downloaded the official 1.4.0 package, injected the malicious dropper into setup.py and the main module bundle, changed the version metadata to 1.4.1, 1.4.2, and 1.4.3, and uploaded the backdoored wheel and source distribution files directly to PyPI StepSecurity Incident Registry.

Execution Trigger

The malicious script was triggered automatically at install-time Snyk Security Blog. Because setup.py was altered, any system running:

pip install durabletask

or loading the dependency during standard CI/CD workflow provisioning automatically executed the dropper script JFrog Security Research.

Payload Behavior

Once triggered, the payload downloaded rope.pyz—an obfuscated Python zip application JFrog Security Research. The script unpacked the framework into the runner’s local execution environment, performing memory-scraping operations to harvest active credentials StepSecurity Incident Registry. The malware targeted AWS credentials, Azure tokens, Google Cloud secrets, and local environment variables, matching the signature credential-stealing mechanics of TeamPCP Snyk Security Blog.

Exfiltration / C2

Exfiltrated data was packaged and shipped via secure outbound web requests to TeamPCP-controlled C2 servers:

  • filev2.getsession[.]org
  • api.masscan[.]cloud

These servers were used to store collected secret dumps and coordinate further automated package hijacking tasks StepSecurity Incident Registry.

Propagation

The malware does not feature direct replication code inside durabletask, but stolen tokens are routinely recycled by TeamPCP’s centralized infrastructure to automate compromises of other packages downstream StepSecurity Incident Registry.

Obfuscation or Evasion

The rope.pyz payload utilized zip-application bundling to package multiple obfuscated Python files together, preventing simple directory-based file scanners from flagging individual raw malicious scripts on disk JFrog Security Research.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "pypi"
  packages:
    - "durabletask"
  versions:
    - "1.4.1"
    - "1.4.2"
    - "1.4.3"
  repositories:
    - "microsoft/durabletask-python"
  container_images: []
  CI_CD_systems:
    - "GitHub Actions pipelines"
    - "Azure DevOps pipelines"
  developer_tools:
    - "Developer workstations"
credentials_at_risk:
  - AWS access keys
  - Azure service principal tokens
  - Google Cloud credentials
  - PyPI publishing tokens

Indicators of Compromise

Domains

  • filev2.getsession[.]org (source: https://www.stepsecurity.io, confidence: high)
  • api.masscan[.]cloud (source: https://www.stepsecurity.io, confidence: high)

File HasHas/Identifiers

  • rope.pyz (Malicious python execution framework)

Package Versions

  • durabletask@1.4.1
  • durabletask@1.4.2
  • durabletask@1.4.3

Detection and Hunting

Hunt Queries

hunt_queries:
  dependency_lockfiles:
    - "durabletask==1.4.1"
    - "durabletask==1.4.2"
    - "durabletask==1.4.3"
  network:
    - "filev2.getsession.org"
    - "api.masscan.cloud"
  endpoint_checks:
    - "Search disk directories for anomalous .pyz zip applications like rope.pyz"

Remediation Workflow

  • Immediate:
    1. Purge dependencies and force downgrade to 1.4.0 or upgrade to the clean release 1.4.4 StepSecurity Incident Registry.
    2. Rotate all AWS, Google Cloud, and Azure DevOps credentials that were active in the infected developer environments or build runners Snyk Security Blog.
  • Short-term:
    • Clear local .cache/pip and internal package mirrors to ensure no backdoored wheels remain cached.
  • Long-term:
    • Transition all PyPI packages to Trusted Publishing (OIDC) to mandate that only verified repository builds can publish versions, eliminating token-based uploads StepSecurity Incident Registry.

Defensive Lessons

  • prevent: Restrict uploads to OIDC identity assertions, ensuring registry tokens cannot be stolen or used out-of-context.
  • detect: Build integrity checks to compare PyPI wheels directly against source repository tags to flag registry-only anomalies.
  • respond: Configure incident response systems to coordinate rapid secret rotation immediately upon detection of untrusted dependency inclusion.

Open Questions

  • Did the compromised token leak through a public build log or was it harvested from an infected developer workstation?
  • How many downstream Azure serverless deployments were infected during the 11-hour exposure window?

Sources

  1. StepSecurity DurableTask Analysis - Role: DIRECT_SOURCE - Impact: Detailed version numbers, timeline timestamps, and OIDC bypass analysis.
  2. Snyk Security Blog on PyPI Threat Vectors - Role: PRIMARY_RESEARCH - Impact: Explanation of token-hijacking and C2 infrastructure mapping.
  3. JFrog rope.pyz Technical Analysis - Role: PRIMARY_RESEARCH - Impact: Zip-app payload bundling mechanics and credential-scraping behavior details.

Machine-Readable Event Profile (Format B)

[
  {
    "event_id": "microsoft-durabletask-pypi-compromise",
    "event_name": "Microsoft DurableTask Python SDK PyPI Hijacking",
    "parent_campaign_id": "teampcp-supply-chain-campaign-2025-2026",
    "is_campaign_level": false,
    "confidence": "high",
    "confidence_reason": "Corroborated by verified advisories from StepSecurity, official PyPI removals, and detailed JFrog malware analysis.",
    "attack_types": [
      "malicious package",
      "CI/CD compromise",
      "credential theft",
      "token exfiltration",
      "artifact tampering"
    ],
    "direct_sources": [
      {
        "name": "StepSecurity DurableTask Analysis",
        "url": "https://www.stepsecurity.io"
      }
    ],
    "correlated_sources": [
      {
        "name": "Snyk Security Blog on PyPI Threat Vectors",
        "url": "https://snyk.io",
        "role": "PRIMARY_RESEARCH",
        "contribution": "token-hijacking details and TeamPCP campaign attribution"
      },
      {
        "name": "JFrog rope.pyz Technical Analysis",
        "url": "https://jfrog.com",
        "role": "PRIMARY_RESEARCH",
        "contribution": "technical details of rope.pyz dropper payload"
      }
    ],
    "affected_assets": {
      "ecosystems": ["pypi"],
      "packages": ["durabletask"],
      "versions": ["1.4.1", "1.4.2", "1.4.3"],
      "repositories": ["microsoft/durabletask-python"],
      "vendors": ["Microsoft"],
      "CI_CD_systems": ["GitHub Actions pipelines", "Azure DevOps pipelines"],
      "container_images": [],
      "developer_tools": ["Developer workstations"]
    },
    "timeline": {
      "first_seen": "2026-05-19T06:00:00Z",
      "malicious_publish_time": "2026-05-19T06:00:00Z",
      "discovery_time": "2026-05-19T08:30:00Z",
      "removal_time": "2026-05-19T17:30:00Z",
      "disclosure_time": "2026-05-19T08:30:00Z",
      "fixed_version_time": "2026-05-19T17:30:00Z"
    },
    "matching_signals": {
      "package_names": ["durabletask"],
      "affected_versions": ["1.4.1", "1.4.2", "1.4.3"],
      "identifiers": {
        "cve": "N/A",
        "ghsa": "N/A",
        "osv": "N/A"
      },
      "shared_claims": "Dropper delivering rope.pyz credential harvesting framework",
      "shared_root_cause": "Compromised registry publisher API token",
      "shared_affected_parties": "Downstream developers using Microsoft DurableTask Python SDK"
    },
    "iocs": {
      "domains": ["filev2.getsession.org", "api.masscan.cloud"],
      "ips": [],
      "urls": [],
      "hashes": [],
      "scripts": ["setup.py", "rope.pyz"]
    },
    "recommended_actions": {
      "store_as_new_event": true,
      "attach_as_observations": [
        "https://snyk.io",
        "https://jfrog.com"
      ],
      "promote_to_writeup": true,
      "needs_ioc_enrichment": false,
      "needs_registry_metadata": false,
      "needs_more_research": false
    }
  }
]