← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack
WHITE TeamPCP PetrP.73 2026-05-22 Modified: 2026-05-22
25
IOCs
MEDIUM VOLUME
On May 19, 2026, the Microsoft durabletask Python SDK was compromised on PyPI, marking a significant supply chain attack. The attacker uploaded three malicious versions of the package (1.4.1, 1.4.2, and 1.4.3) within a short timeframe, bypassing Microsoft's GitHub repository's build pipeline using stolen publishing credentials. The malicious payload, consisting of 14 lines of Python code, acts as a dropper for a more complex modular cloud intrusion framework known as rope.pyz. This framework features multiple modules designed to exfiltrate sensitive data across major cloud platforms and systems, including AWS, Azure, and GCP.
pypigithubc2 domainmicrosoftcicdkubernetesteampcphardenrunnerdockermini shaihuludbabayagafirebirddropperhuludvault clikb
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (25)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2026-45321 2026-05-22
FileHash-MD5 04750aba368eeb2890e74d10fa0a50a3 MD5 of 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce 2026-05-22
FileHash-MD5 907a5a883877808218686bc24b7add65 MD5 of 7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8 2026-05-22
FileHash-MD5 d648b731ae428146f7a94cd09e6c7585 MD5 of aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5 2026-05-22
FileHash-MD5 ef0eb6dcf4a8e97814a3e975b72b0d12 MD5 of 877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec 2026-05-22
FileHash-SHA1 0d9f83bd5586c65ab4f55cb5bd952bfa4881f74f SHA1 of 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce 2026-05-22
FileHash-SHA1 685a412599a1a3f0a0590193e0cbae91fb24ba6b SHA1 of 877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec 2026-05-22
FileHash-SHA1 7094ae952111c880aeb94cbe9e9e5fb831aaac4d SHA1 of 7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8 2026-05-22
FileHash-SHA1 9f0c41fd70f18ff44023401c09e038b35432ed42 SHA1 of aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5 2026-05-22
FileHash-SHA256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce 2026-05-22
FileHash-SHA256 3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf 2026-05-22
FileHash-SHA256 7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8 2026-05-22
FileHash-SHA256 85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f 2026-05-22
FileHash-SHA256 877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec 2026-05-22
FileHash-SHA256 aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5 2026-05-22
FileHash-SHA256 c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc 2026-05-22
IPv4 160.119.64.3 CC=ZA ASN=AS7489 hostus 2026-05-22
URL http://check.git-service.com/api/public/version 2026-05-22
URL http://check.git-service.com/rope.pyz 2026-05-22
URL http://check.git-service.com/v1/models 2026-05-22
URL https://check.git-service.com/api/public/version 2026-05-22
URL https://check.git-service.com/rope.pyz 2026-05-22
domain git-service.com 2026-05-22
hostname check.git-service.com 2026-05-22
hostname t.m-kosche.com 2026-05-22
References (1)
↗ https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack