{ "type": "URL", "indicator": "https://check.git-service.com/api/public/version", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://check.git-service.com/api/public/version", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4372176424, "indicator": "https://check.git-service.com/api/public/version", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a10220a8beb26aae6cd4c06", "name": "Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack", "description": "On May 19, 2026, the Microsoft durabletask Python SDK was compromised on PyPI, marking a significant supply chain attack. The attacker uploaded three malicious versions of the package (1.4.1, 1.4.2, and 1.4.3) within a short timeframe, bypassing Microsoft's GitHub repository's build pipeline using stolen publishing credentials. The malicious payload, consisting of 14 lines of Python code, acts as a dropper for a more complex modular cloud intrusion framework known as rope.pyz. This framework features multiple modules designed to exfiltrate sensitive data across major cloud platforms and systems, including AWS, Azure, and GCP.", "modified": "2026-05-22T09:29:46.651000", "created": "2026-05-22T09:29:46.651000", "tags": [ "pypi", "github", "c2 domain", "microsoft", "cicd", "kubernetes", "teampcp", "hardenrunner", "docker", "mini shaihulud", "babayaga", "firebird", "dropper", "hulud", "vault cli", "kb" ], "references": [ "https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "IPv4": 1, "URL": 5, "domain": 1, "hostname": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TeamPCP" ], "malware_families": [], "industries": [], "unique_indicators": 25 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/git-service.com", "whois": "http://whois.domaintools.com/git-service.com", "domain": "git-service.com", "hostname": "check.git-service.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a10220a8beb26aae6cd4c06", "name": "Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack", "description": "On May 19, 2026, the Microsoft durabletask Python SDK was compromised on PyPI, marking a significant supply chain attack. The attacker uploaded three malicious versions of the package (1.4.1, 1.4.2, and 1.4.3) within a short timeframe, bypassing Microsoft's GitHub repository's build pipeline using stolen publishing credentials. The malicious payload, consisting of 14 lines of Python code, acts as a dropper for a more complex modular cloud intrusion framework known as rope.pyz. This framework features multiple modules designed to exfiltrate sensitive data across major cloud platforms and systems, including AWS, Azure, and GCP.", "modified": "2026-05-22T09:29:46.651000", "created": "2026-05-22T09:29:46.651000", "tags": [ "pypi", "github", "c2 domain", "microsoft", "cicd", "kubernetes", "teampcp", "hardenrunner", "docker", "mini shaihulud", "babayaga", "firebird", "dropper", "hulud", "vault cli", "kb" ], "references": [ "https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "IPv4": 1, "URL": 5, "domain": 1, "hostname": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://check.git-service.com/api/public/version", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://check.git-service.com/api/public/version", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780366572.179389 }