Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack
Three malicious versions of Microsoft's durabletask Python package were published to PyPI on May 19, 2026, containing a 28 KB payload that steals credentials from cloud providers (AWS, Azure, GCP), Kubernetes, password managers, and developer tools. The attack has been attributed to the TeamPCP threat group and exhibits indicators of Eastern European cybercrime operations.
- Disclosed
- Last updated
- Blast radius
- Unknown number of Python developers and organizations using the affected durabletask package versions; potential for widespread credential theft and lateral movement in cloud environments.
- Ecosystems
- Attack vectors
- Threat actor
- Affected entities
- durabletaskMicrosoft's official Python SDK; three malicious versions published to PyPI
On May 19, 2026, three malicious versions of Microsoft's official durabletask Python SDK were published to the PyPI package repository. The compromised package contained a 28 KB payload designed to steal credentials and sensitive data from multiple cloud and development platforms.\n\nThe malicious payload targeted credentials from AWS, Azure, Google Cloud Platform (GCP), Kubernetes, password managers, and over 90 developer tool configurations. Once executed, the payload would exfiltrate stolen data and attempt lateral movement through connected cloud infrastructure.\n\nThe attack exhibits a notable technical signature: the payload includes logic to skip execution on systems configured with Russian locale settings, a known indicator of Eastern European cybercriminal operations. The incident has been linked to the TeamPCP threat group, which was previously responsible for the Mini Shai-Hulud campaign.\n\nThis attack highlights the risk of compromised official package maintainer accounts and underscores the importance of supply chain security controls, including verification of package integrity and monitoring for unexpected package releases."
Indicators of compromise
- Packages
- durabletask
Remediation
- Immediately identify and audit all systems that installed the affected durabletask versions from PyPI between May 19, 2026 and the malicious versions' removal
- Rotate credentials for AWS, Azure, GCP, Kubernetes, password managers, and affected developer tools on potentially compromised systems
- Monitor cloud infrastructure for signs of lateral movement and unauthorized access
- Pin durabletask to a known-good version from before May 19, 2026 or wait for an official patched release from Microsoft
- Review logs from compromised systems for data exfiltration and unauthorized API calls
Sources
Cite this entry
"Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed May 19, 2026; last updated June 7, 2026. https://supplychainattack.org/incident/microsoft-s-durabletask-pypi-package-compromised-in-supply-chain-attack-vomlz6
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
The Hades Campaign: Graph ML PyPI Packages Deploy Cross-Platform Memory Scrapers, AI Analyst Misdirection, and a Wiper Deterrent
On June 8, 2026, multiple Graph ML PyPI packages were compromised in the Hades campaign, deploying cross-platform memory scrapers, AI prompt injections for analyst misdirection, and token-revocation wipers. The attack targeted the bioinformatics ecosystem with sophisticated evasion techniques.
HadesPyPICompromised package - containedhigh
New Shai-Hulud attack trojanizes 19 science-focused PyPI packages
Hackers compromised 19 science-focused packages on PyPI in a Shai-Hulud supply-chain attack. The trojanized packages were collectively downloaded hundreds of thousands of times and delivered malware designed to steal developer secrets.
Shai-HuludPyPICompromised package - resolvedhigh
durabletask: TeamPCP's Latest PyPi Compromise
Malicious versions of the PyPI package durabletask were published, attributed to the TeamPCP threat actor. The attack matches known TeamPCP tactics used in prior supply chain compromises.
TeamPCPPyPICompromised package - containedcritical
TeamPCP Injects Two-Stage Credential Stealer into xinference PyPI Package
The xinference package on PyPI was compromised with a two-stage credential stealer attributed to the TeamPCP threat actor. The malicious code was injected into the package, potentially affecting users who installed compromised versions.
TeamPCPPyPICompromised packageMalicious maintainer