Full Report
Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics.
Analysis Summary
# Tool/Technique: TeamPCP PyPI Supply Chain Attack (durabletask)
## Overview
This entry covers a supply chain compromise involving malicious versions of the `durabletask` PyPI package (the official Microsoft Python client for the Durable Task framework). Attributed to the threat actor **TeamPCP**, the attack uses poisoned package versions to deploy a sophisticated Python-based worm designed for credential exfiltration, lateral movement in cloud environments, and password manager brute-forcing.
## Technical Details
- **Type**: Malware family / Supply Chain Attack
- **Platform**: Linux (primarily cloud-based workloads)
- **Capabilities**: Credential harvesting, lateral movement (AWS/K8s), worm-like propagation, password manager brute-forcing.
- **First Seen**: May 19, 2026 (Campaign started earlier with `guardrails-ai` package in May 2024).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1555 - Credentials from Password Stores
- T1110.001 - Brute Force: Password Guessing
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
- **TA0008 - Lateral Movement**
- T1570 - Lateral Tool Transfer
- T1611 - Escape to Host (K8s)
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Credential Stealing**: Automatically harvests credentials for AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and local filesystems.
- **Shell History Scraping**: Scrapes `.bash_history` and `.zsh_history` for plain-text passwords and sensitive commands.
- **Persistence & Propagation**: Acts as a worm, attempting to propagate to up to 5 additional targets per infected host via AWS SSM and Kubernetes.
- **Infection Markers**: Uses local files (`~/.cache/.sys-update-check`) to avoid re-infection.
### Advanced Features
- **Password Manager Brute-forcing**: Specifically targets **Bitwarden**, **1Password**, and **GPG** CLI tools. It attempts to brute-force vaults using passwords harvested from environment variables and shell history.
- **Cloud Native Exploitation**: Deep integration with AWS SSM (`SendCommand`, `DescribeInstanceInformation`) and Kubernetes (`kubectl exec`) for lateral movement.
- **Conditional Wiping**: Contains an endpoint (`/audio.mp3`) potentially used for destructive actions or wiping, specifically logic related to geographic regions (Israel/Iran).
## Indicators of Compromise
- **File Hashes (SHA256)**:
- `069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce` (rope.pyz)
- `7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8` (durabletask-1.4.1)
- `aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5` (durabletask-1.4.2)
- `877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec` (durabletask-1.4.3)
- **File Names**:
- `/tmp/managed.pyz`
- `/tmp/rope-*.pyz`
- `~/.cache/.sys-update-check`
- `~/.cache/.sys-update-check-k8s`
- `/tmp/.rope_state/ssm_instances.json`
- **Network Indicators**:
- `check[.]git-service[.]com` (Primary C2)
- `t[.]m-kosche[.]com` (Secondary C2)
- `83[.]142[.]209[.]194` (Legacy C2)
- Endpoints: `/v1/models`, `/audio.mp3`, `/api/public/version`
- **Behavioral Indicators**:
- Python processes running `.pyz` files from `/tmp`.
- Unexpected `SSM:SendCommand` or `kubectl exec` activity.
## Associated Threat Actors
- **TeamPCP**
## Detection Methods
- **Behavioral detection**: Monitor for outbound connections from production servers to unknown domains like `git-service[.]com`. Audit IAM and Kubernetes logs for rapid "Describe" followed by "Exec/Send" commands.
- **File Integrity**: Scan for the presence of hidden infection markers in `~/.cache/` and `.pyz` files in `/tmp`.
## Mitigation Strategies
- **Dependency Pinning**: Ensure Python environments use verified or internal mirrors of PyPI packages; strictly avoid versions 1.4.1–1.4.3 of `durabletask`.
- **Least Privilege**: Limit permissions for IAM roles and K8s Service Accounts to prevent SSM/Exec-based propagation.
- **Credential Rotation**: If a compromise is detected, rotate all cloud secrets and master passwords for Bitwarden/1Password.
- **Egress Filtering**: Restrict outbound traffic from sensitive workloads to only known-good destinations.
## Related Tools/Techniques
- **Mini Shai-Hulud**: A related malware payload used in previous TeamPCP campaigns (e.g., against `guardrails-ai`).
- **transformers.pyz**: An earlier variant of the `rope.pyz` payload.