TeamPCP Compromises Microsoft’s DurableTask PyPI Package to Deploy Multi-Stage Credential Theft Malware

    Thursday, June 11, 2026 In: Threat Research Print

    Date: 06/11/2026

    Severity: High

    Summary

    Our investigation of the malicious DurableTask packages revealed a sophisticated multi-stage supply chain attack targeting cloud-native and developer-centric environments. Beyond credential theft, the malware incorporates persistence mechanisms, multi-cloud credential collection, GitHub token abuse, Kubernetes and Vault targeting, resilient command-and-control discovery, and geo-targeted destructive functionality. The breadth of credential sources targeted by the malware indicates a strong focus on gaining access to cloud infrastructure, development environments, and privileged secrets. Organizations that installed the affected package versions should conduct a thorough compromise assessment, rotate exposed credentials, and review access to cloud, GitHub, Kubernetes, and Vault environments.

    This incident highlights the continued risk posed by software supply chain attacks and reinforces the need for dependency monitoring, package validation, and continuous detection capabilities across developer ecosystems.

    Indicators of Compromise (IOC) List

    Domains/URLs:

    https://check.git-service.com/rope.pyz

    https://t.m-kosche.com/rope.pyz

    https://check.git-service.com/v1/models

    https://check.git-service.com/api/public/version

    git-service.com

    m-kosche.com

    Hash : 

    219c72d7955b6e1341e527bfca83d29d91feac6ae192529ec8798aa5325e4618

    069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce

    File Names

    /tmp/managed.pyz

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://t.m-kosche.com/rope.pyz" or url like "https://t.m-kosche.com/rope.pyz" or siteurl like "https://t.m-kosche.com/rope.pyz" or 

    domainname like "https://check.git-service.com/rope.pyz" or url like "https://check.git-service.com/rope.pyz" or siteurl like "https://check.git-service.com/rope.pyz" or 

    domainname like "https://check.git-service.com/v1/models" or url like "https://check.git-service.com/v1/models" or siteurl like 

    "https://check.git-service.com/v1/models" or 

    domainname like "t.m-kosche.com" or url like "t.m-kosche.com" or siteurl like "t.m-kosche.com" or domainname like "git-service.com" or url like "git-service.com" or siteurl like "git-service.com"

    Detection Query 2 :

    sha256hash IN ("219c72d7955b6e1341e527bfca83d29d91feac6ae192529ec8798aa5325e4618",”069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce”)

    Detection Query 3 :

    resourcename = "Windows Security" and eventtype = "4663” AND objectname like “/tmp/managed.pyz”

    Detection Query 4 :

    technologygroup = "EDR" AND objectname like “/tmp/managed.pyz”

    Reference:    

    https://gurucul.com/blog/teampcp-compromises-microsofts-durabletask-pypi-package-to-deploy-multi-stage-credential-theft-malware/   


    Tags

    MalwareThreat ActorSupply chain attackCloud InfrastructureGitHubMicrosoftCredentialTheft

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.