O RLY CYBER(wiz.io) TeamPCP Supply Chain Attack: Compromise of DurableTask Python Packages Unleashes Multi-Cloud Credential Theft and Worm Propagation
New supply chain attack by TeamPCP: Compromised Microsoft DurableTask Python packages (v1.4.1–1.4.3) deploy rope.pyz malware targeting Linux. Credential theft (AWS/Azure/GCP/K8s/Vault) + lateral movement via AWS SSM/Kubernetes. Worm-like propagation with 5-target limit per host. C2: check.git-service.com, t.m-kosche.com.
In brief - TeamPCP compromised official DurableTask Python packages to distribute malware stealing cloud/K8s credentials and enabling lateral movement across multi-cloud environments. Immediate credential rotation and C2 blocking recommended.
Technically - Malware (rope.pyz) injected into __init__.py/task.py, persists via ~/.cache/.sys-update-check. Harvests credentials from env vars, .bash_history/.zsh_history, and password managers (Bitwarden/1Password/GPG). Uses AWS SSM (SendCommand) and kubectl exec for lateral movement. Exfil via /v1/models, /audio.mp3. IoCs: rope.pyz hashes, /tmp/managed.pyz, /tmp/rope-*.pyz. RSA Key B for encryption.
Source: https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
