Microsoft's durabletask PyPI compromise of May 19, 2026
Three malicious durabletask versions hit PyPI in 35 minutes with no matching GitHub release. Importing the SDK was enough to run the stealer.
- pypi
- microsoft
- python
- supply-chain
Eight days after the TanStack npm compromise, attackers published three malicious versions of durabletask, Microsoft's official Python SDK for Azure Durable Functions, directly to PyPI. No matching tags or CI workflows ran in the upstream GitHub repository.
Verified timeline
OSV MAL-2026-4174 records:
| Version | Window |
|---|---|
durabletask 1.4.1, 1.4.2, 1.4.3 | Published May 19, 2026, between roughly 16:19 and 16:54 UTC (35-minute window) |
| Last clean release | 1.4.0 (April 8, 2026) |
Microsoft's GitHub issue #137 was filed at 17:54 UTC on May 19 reporting import-time code that downloaded a remote payload from check.git-service.com. Microsoft maintainers confirmed the packages were yanked and the PyPI project was temporarily quarantined. The latest safe release is 1.4.0 on PyPI.
StepSecurity's analysis notes the attack bypassed Microsoft's durabletask.yml release workflow entirely. The workflow only publishes when a v* tag is pushed; no such tag existed for the malicious versions. The attacker uploaded with stolen PyPI credentials via twine.
What the payload did
The malicious versions injected a dropper into Python source files. Importing the SDK was sufficient to execute the payload, no postinstall hook required.
Documented behavior across OSV, StepSecurity, and Microsoft's issue thread:
- Downloaded a ~28 KB payload (
rope.pyz) from attacker infrastructure - Harvested AWS, Azure, GCP, Kubernetes, Vault, SSH, Docker, and password-manager credentials
- Encrypted exfiltration to attacker-controlled infrastructure, with GitHub dead-drop fallback
- Established persistence via a
pgsql-monitor.servicesystemd unit on Linux - Skipped execution on systems with Russian locale settings (reported by multiple vendors)
Researchers linked the campaign to TeamPCP and the broader Mini Shai-Hulud wave active in May 2026.
Why Mac developer laptops matter
Python developers on macOS who ran pip install durabletask or updated a requirements.txt pin during the window could have pulled 1.4.1 through 1.4.3 into a virtualenv or global site-packages. Unlike npm lifecycle scripts, import-time execution means simply importing the package in a REPL or test suite triggers the stealer.
Koban reads pip lockfiles and environment manifests from enrolled Macs. A durabletask version bump from 1.4.0 to 1.4.x in a diff is the kind of signal that should trigger immediate investigation after a published IOC list.
What to do if you were exposed
Microsoft and PyPI security teams yanked the malicious versions. If you may have installed 1.4.1, 1.4.2, or 1.4.3:
- Pin back to
durabletask==1.4.0or earlier - Treat the install host as compromised
- Rotate cloud, GitHub, npm, SSH, and secrets-manager credentials reachable from that machine
- Check for persistence artifacts documented in OSV (e.g.,
pgsql-monitor.service,pgmonitor.py)
Microsoft removed the public GitHub release pipeline and moved publishing to an internal process after the incident.
May 2026 pattern
The durabletask incident fits a May 2026 cadence: TanStack on May 11, Nx Console on May 18, durabletask on May 19, and GitHub's breach disclosure on May 19-20. Different surfaces (GitHub Actions, VS Code Marketplace, PyPI registry), same objective: steal credentials from developer and CI environments.
Registry takedowns and advisories help after the fact. Continuous lockfile diff on developer Macs helps you answer which machines moved to a bad version before the yank.