malware pypi

durabletask

discovered 2026-05-20

durabletask is identified in the SafeDep analysis "Malicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities". Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, then propagates to other hosts via SSM and kubectl exec.

more…

Threat types

credential_stealer data_exfiltration worm

Malicious versions

0.1.0

Campaigns

Mini Shai-Huludattributed-to

Indicators

domain check.git-service.comcommunicates-with
domain t.m-kosche.comcommunicates-with
domain www.youtube.comcommunicates-with
ipv4 160.119.64.3communicates-with
ipv4 185.95.159.32communicates-with
sha256 3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bfindicates
sha256 85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086findicates
sha256 c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dcindicates
sha256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ceindicates

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.006 Command and Scripting Interpreter: Pythonuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1528 Steal Application Access Tokenuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1021 Remote Servicesuses
ttp T1098 Account Manipulationuses

Read the full analysis →