durabletask
durabletask is identified in the SafeDep analysis "Malicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities". Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, then propagates to other hosts via SSM and kubectl exec.
discovered 2026-05-20
Threat types
credential_stealerdata_exfiltrationworm
Malicious versions
- 0.1.0
Campaigns
Indicators
- domaincheck.git-service.comcommunicates-with
- domaint.m-kosche.comcommunicates-with
- domainwww.youtube.comcommunicates-with
- ipv4160.119.64.3communicates-with
- ipv4185.95.159.32communicates-with
- sha2563de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bfindicates
- sha25685f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086findicates
- sha256c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dcindicates
- sha256069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ceindicates
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.006 Command and Scripting Interpreter: Pythonuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1102 Web Serviceuses
- ttpT1021 Remote Servicesuses
- ttpT1098 Account Manipulationuses
