(wiz.io) TeamPCP Supply Chain Attack: Compromise of DurableTask Python Packages Unleashes Multi-Cloud Credential Theft and Worm Propagation
New supply chain attack by TeamPCP: Compromised Microsoft DurableTask Python packages (v1.4.1–1.4.3) deploy rope.pyz malware targeting Linux. Credential theft (AWS/Azure/GCP/K8s/Vault) + lateral movement via AWS SSM/Kubernetes. Worm-like propagation with 5-target limit per host. C2: check.git-service.com, t.m-kosche.com.
In brief - TeamPCP compromised official DurableTask Python packages to distribute malware stealing cloud/K8s credentials and enabling lateral movement across multi-cloud environments. Immediate credential rotation and C2 blocking recommended.
Technically - Malware (rope.pyz) injected into __init__.py/task.py, persists via ~/.cache/.sys-update-check. Harvests credentials from env vars, .bash_history/.zsh_history, and password managers (Bitwarden/1Password/GPG). Uses AWS SSM (SendCommand) and kubectl exec for lateral movement. Exfil via /v1/models, /audio.mp3. IoCs: rope.pyz hashes, /tmp/managed.pyz, /tmp/rope-*.pyz. RSA Key B for encryption.
Source: https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
#Cybersecurity #ThreatIntel
O RLY CYBER
npub1sh…0kwr0
2026-05-19 19:15:52 UTC
Author Public Key
npub1shlut8mwdmfevu2nt294apayu7e0mxs5mrpfyq8v5ru4ymscg9ysx0kwr0Seen on
wss://relay.momostr.pinkPublished at
2026-05-19 19:15:52 UTCEvent JSON
{
"id": "6a0150a44763165edfd7b8472ea86cd4c3e54559021bd57b0f289239d9ecdbb2",
"pubkey": "85ffc59f6e6ed39671535a8b5e87a4e7b2fd9a14d8c29200eca0f9526e184149",
"created_at": 1779218152,
"kind": 1,
"tags": [
[
"proxy",
"https://swecyb.com/@orlysec/116602840846043800",
"web"
],
[
"t",
"threatintel"
],
[
"t",
"cybersecurity"
],
[
"proxy",
"https://swecyb.com/ap/users/116080658609901341/statuses/116602840846043800",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://swecyb.com/ap/users/116080658609901341/statuses/116602840846043800",
"pink.momostr"
],
[
"-"
]
],
"content": "(wiz.io) TeamPCP Supply Chain Attack: Compromise of DurableTask Python Packages Unleashes Multi-Cloud Credential Theft and Worm Propagation\n\nNew supply chain attack by TeamPCP: Compromised Microsoft DurableTask Python packages (v1.4.1–1.4.3) deploy rope.pyz malware targeting Linux. Credential theft (AWS/Azure/GCP/K8s/Vault) + lateral movement via AWS SSM/Kubernetes. Worm-like propagation with 5-target limit per host. C2: check.git-service.com, t.m-kosche.com.\n\nIn brief - TeamPCP compromised official DurableTask Python packages to distribute malware stealing cloud/K8s credentials and enabling lateral movement across multi-cloud environments. Immediate credential rotation and C2 blocking recommended.\n\nTechnically - Malware (rope.pyz) injected into __init__.py/task.py, persists via ~/.cache/.sys-update-check. Harvests credentials from env vars, .bash_history/.zsh_history, and password managers (Bitwarden/1Password/GPG). Uses AWS SSM (SendCommand) and kubectl exec for lateral movement. Exfil via /v1/models, /audio.mp3. IoCs: rope.pyz hashes, /tmp/managed.pyz, /tmp/rope-*.pyz. RSA Key B for encryption.\n\nSource: https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack\n\n#Cybersecurity #ThreatIntel",
"sig": "57b8de37aa7adbbb4d9794b4a23f3112972c463bc829b65226913d91e9a1cf3cad5ab413cb07082d10218bef3ea4a5533afc53bf4063e9f82dbc0b2e92cea2f3"
}