


































The supply chain campaign linked to TeamPCP continues with the compromise of durabletask v1.4.1, v1.4.2, and v1.4.3. DurableTask is the official Microsoft Python client for the Durable Task workflow execution framework.
These packages have been quarantined by PyPi, subsequent to Wiz's analysis.
There is a direct link between the previously reported @antv wave and this compromised package.
A compromised user account was identified based on their publication of the repositories implicated in that wave. That same account can be observed targeting the microsoft/durabletask-python between 15:08 UTC and 15:16 UTC:
We can observe the attacker copied the latest commit message from main, and the behavior matches past examples of leveraging compromised credentials to dump secrets from GitHub. Workflows in the repository indicate that the PyPi token was present within the GitHub secrets.
So we can conclude that the attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly.
The payload is a slight evolution of the one previously deployed in the compromise of the guardrails-ai package on May 11th.
| Attribute | transformers.pyz v2 | durabletask v1.4.1 | durabletask v1.4.2 | durabletask v1.4.3 |
|---|---|---|---|---|
| Status | Malware payload | Compromised | Compromised | Compromised |
| C2 Domain | 83.142.209.194 | check.git-service.com | check.git-service.com | check.git-service.com |
| Backup C2 | - | t.m-kosche.com | t.m-kosche.com | t.m-kosche.com |
| Payload | transformers.pyz | rope.pyz | rope.pyz | rope.pyz |
| Injection Points | __init__.py | __init__.py | task.py | entities/__init__.py, extensions/__init__.py, payload/__init__.py |
| Target OS | Linux | Linux | Linux | Linux |
| Credential Stealing | AWS, Azure, GCP, K8s, Vault, Filesystem, Passwords | Yes (inherited) | Yes (inherited) | Yes (inherited) |
| AWS SSM Propagation | No | Yes | Yes | Yes |
| K8s Lateral Movement | No | Yes | Yes | Yes |
| Password Manager Bruteforce | No | Yes (Bitwarden, 1Password, GPG) | Yes (Bitwarden, 1Password, GPG) | Yes (Bitwarden, 1Password, GPG) |
| History Scraping | No | Yes (.bash_history, .zsh_history) | Yes | Yes |
| Propagation Limit | - | 5 targets/host | 5 targets/host | 5 targets/host |
| Infection Marker | - | ~/.cache/.sys-update-check | ~/.cache/.sys-update-check | ~/.cache/.sys-update-check |
| RSA Key | Key A | Key B (new) | Key B (new) | Key B (new) |
| SSL Verification | Disabled | Enabled | Enabled | Enabled |
Wiz customers should refer to the Wiz Threat Intelligence Center Advisory on this incident.
Immediately identify exposure: Search lockfiles and CI logs for durabletask versions 1.4.1, 1.4.2, or 1.4.3. Look for /tmp/managed.pyz or /tmp/rope-*.pyz on Linux systems.
Check for persistence: Search for the infection marker ~/.cache/.sys-update-check (AWS/general) and ~/.cache/.sys-update-check-k8s (Kubernetes) on affected systems. Presence confirms payload execution. Check for running python3 /tmp/managed.pyz processes.
Rotate all credentials: If exposure is suspected, rotate AWS credentials (especially IAM User credentials), Azure credentials, GCP service accounts, Kubernetes service accounts, Vault tokens, and any passwords stored in Bitwarden, 1Password, or pass/gopass. Assume shell history (.bash_history, .zsh_history) was exfiltrated.
Audit AWS SSM and Kubernetes: Check CloudTrail for SSM:SendCommand and SSM:DescribeInstanceInformation calls from compromised instances. Review Kubernetes audit logs for unexpected kubectl exec activity. The worm propagates to up to 5 targets per infected host.
Check password manager sessions: Review Bitwarden (bw) and 1Password (op) CLI usage. The payload attempts brute-force unlock using harvested passwords from environment variables and shell history.
Block C2 infrastructure: Block check.git-service.com and t.m-kosche.com at the DNS/proxy level. Block outbound connections to the exfil endpoints /v1/models, /audio.mp3, and /api/public/version.
For longer term hardening guidance, Wiz has developed:
| File | Hash |
|---|---|
| rope.pyz | 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce |
| durabletask-1.4.1-py3-none-any.whl | 7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8 |
| durabletask-1.4.2-py3-none-any.whl | aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5 |
| durabletask-1.4.3-py3-none-any.whl | 877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec |
| Type | Indicator |
|---|---|
| C2 Domain (Primary) | check.git-service.com |
| C2 Domain (Secondary) | t.m-kosche.com |
| Payload URL | https://check.git-service[.]com/rope.pyz |
| Payload URL (Backup) | https://t.m-kosche[.]com/rope.pyz |
| Killswitch/Command Endpoint | /v1/models |
| Wipe Audio (Israel/Iran only) | /audio.mp3 |
| Exfil Endpoint | /api/public/version |
| Legacy C2 IP | 83.142.209.194 |
| Type | Indicator |
|---|---|
| Downloaded Payload | /tmp/managed.pyz |
| Downloaded Payload | /tmp/rope-*.pyz |
| Infection Marker (General) | ~/.cache/.sys-update-check |
| Infection Marker (Kubernetes) | ~/.cache/.sys-update-check-k8s |
| SSM State File | /tmp/.rope_state/ssm_instances.json |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。