{
  "name": "Latest PyPi Compromise",
  "slug": "latest-pypi-compromise",
  "description": "A supply chain attack targeting the Microsoft DurableTask Python client compromised versions 1.4.1, 1.4.2, and 1.4.3 on PyPi. The threat actor gained access through a compromised GitHub account previously linked to attacks, using stolen credentials to dump GitHub secrets containing PyPi tokens. The evolved payload targets Linux systems, stealing credentials from AWS, Azure, GCP, Kubernetes, Vault, and password managers like Bitwarden and 1Password. It propagates via AWS SSM and Kubernetes lateral movement, limited to 5 targets per infected host. The payload scrapes shell history, bruteforces password managers, and establishes persistence through infection markers. Compromised packages were quarantined following analysis.",
  "published": "2026-05-19T22:26:56.337000+00:00",
  "created_at": "2026-05-21T00:36:44.203000+00:00",
  "modified_at": "2026-05-20T22:36:44+00:00",
  "created_at_opencti": "2026-05-21T00:36:44.203000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "aws ssm propagation",
    "credential theft",
    "durabletask",
    "github secrets",
    "kubernetes lateral movement",
    "managed.pyz",
    "password manager",
    "pypi compromise",
    "rope.pyz",
    "supply chain attack",
    "transformers.pyz"
  ],
  "tags": [
    "2026-05-19",
    "aws ssm propagation",
    "credential-theft",
    "durabletask",
    "github secrets",
    "kubernetes lateral movement",
    "managed.pyz",
    "password manager",
    "pypi compromise",
    "rope.pyz",
    "supply chain attack",
    "transformers.pyz"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "b70c891a-6ebc-4ed2-bd0f-7acce0d38a3b",
        "name": "https://t.m-kosche.com/rope.pyz"
      },
      {
        "id": "034464d2-ca57-4ab0-a2da-ad85721f100e",
        "name": "83.142.209.194"
      },
      {
        "id": "5c575a32-39f8-45a4-a547-66662e491312",
        "name": "7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8"
      },
      {
        "id": "a43a197c-42d8-455c-9f1f-68d52d5bfd40",
        "name": "aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5"
      },
      {
        "id": "5ab8708d-a42e-4c18-b2a5-7e7280a61a41",
        "name": "069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce"
      },
      {
        "id": "bc6d810d-5ad1-4cc4-a7aa-36e58695ef7d",
        "name": "check.git-service.com"
      },
      {
        "id": "cb72256f-897e-4ff8-84e0-55772689ff6d",
        "name": "877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec"
      },
      {
        "id": "9b456896-eaf5-4abb-badd-9d6192a99260",
        "name": "https://check.git-service.com/rope.pyz"
      },
      {
        "id": "2600d2ae-9da7-4edd-82d3-1ac16c834390",
        "name": "t.m-kosche.com"
      }
    ],
    "intrusion_sets": [
      {
        "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa",
        "name": "TeamPCP",
        "slug": "teampcp"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56",
        "name": "T1570"
      },
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "97cda0df-73f8-46ac-9b12-ba9b7f4032ab",
        "name": "T1552.007"
      },
      {
        "id": "9f21708c-24b6-46b5-bf7e-522256e8470c",
        "name": "T1552.004"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "99571c5a-1615-4466-ab0e-f4d9e9219640",
        "name": "T1552.006"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "535a45a7-819f-46fa-947a-c9eabd27c419",
        "name": "T1555.005"
      },
      {
        "id": "0b534d7b-0850-41a7-9bc5-f2e6162eea42",
        "name": "T1195.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "7c497590-4975-4cec-b8c6-e94966b6e9c3",
        "name": "T1087.004"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      }
    ],
    "malware": [
      {
        "id": "98291a90-5e00-487a-bc98-8a3d87def30f",
        "name": "managed.pyz",
        "slug": "managedpyz"
      },
      {
        "id": "af858e03-ee95-49fa-a0c4-4f794231c2bb",
        "name": "transformers.pyz",
        "slug": "transformerspyz"
      },
      {
        "id": "23e75e1e-ddeb-470b-99e1-6fd73d02c1d4",
        "name": "rope.pyz",
        "slug": "ropepyz"
      }
    ],
    "observables": [
      {
        "id": "474929ab-be92-42d9-91f3-e985392e12f2",
        "name": "check.git-service.com"
      },
      {
        "id": "ae42567b-6f98-49a9-8c46-3110f439aa6c",
        "name": "t.m-kosche.com"
      },
      {
        "id": "806d0f58-9c41-4d50-948b-13fec2ce75b2",
        "name": "83.142.209.194"
      },
      {
        "id": "7546efce-4dda-4e9d-8599-59336bf902b3",
        "name": "https://t.m-kosche.com/rope.pyz"
      },
      {
        "id": "a71c56ca-db10-4c08-9a00-87454efef630",
        "name": "https://check.git-service.com/rope.pyz"
      },
      {
        "id": "",
        "name": "7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8"
      },
      {
        "id": "",
        "name": "aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5"
      },
      {
        "id": "",
        "name": "069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce"
      },
      {
        "id": "",
        "name": "877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "check.git-service.com"
      },
      {
        "id": "",
        "name": "t.m-kosche.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "ea05780c-dd3b-4ad2-a050-12c7563ad494",
      "standard_id": "external-reference--fc307314-fdfb-5672-9990-03b9d59ad2ab",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack",
      "hash": null,
      "external_id": null,
      "created": "2026-05-21T00:36:44.126Z",
      "modified": "2026-05-21T00:36:44.126Z",
      "createdById": null
    },
    {
      "id": "a50acc91-6434-43fd-ae58-794861f9555a",
      "standard_id": "external-reference--ff086dec-51bc-51e3-bd9a-4e88efb80d6b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a0ce3b0ad791179648c47b0",
      "hash": null,
      "external_id": "6a0ce3b0ad791179648c47b0",
      "created": "2026-05-21T00:36:44.095Z",
      "modified": "2026-05-21T00:36:44.095Z",
      "createdById": null
    }
  ]
}