ON 19 May 2026, three malicious versions of Microsoft’s official durabletask Python SDK—1.4.1, 1.4.2, and 1.4.3—were published to PyPI within a 35-minute window, and they were not released through Microsoft’s official CI/CD pipeline. The versions were pushed directly to PyPI using compromised publishing credentials, and this is described as a compromise of the real package that developers install when running pip install durabletask.
The malicious package contains a dropper in __init__.py and other core files that, when imported on Linux, silently downloads and executes a remote payload from attacker‑controlled infrastructure, described as a multi‑cloud credential theft framework targeting AWS, Azure, GCP and Kubernetes secrets; a Harden-Runner monitored GitHub Actions workflow run demonstrates the malicious C2 network call to check.git-service[.]com.
Microsoft is actively investigating the compromise and a full technical breakdown, indicators of compromise and remediation guidance will be provided, with users advised to run pip show durabletask and pin to version 1.4.0 or earlier if they are on 1.4.1, 1.4.2 or 1.4.3. The last known safe version is 1.4.0, published on 8 April 2026.