durabletask (Microsoft's Python Durable Task client) compromised by TeamPCP | same Mini Shai-Hulud payload as last week's TanStack wave
Source: Reddit
Published:
<p>We've been tracking TeamPCP since March. This is the fifth major package in the same campaign. Full chronology: Mar 19 — Trivy compromised. CI/CD secrets harvested downstream. Mar 24 — LiteLLM 1.82.7/1.82.8 to PyPI via credentials stolen through Trivy. ~95M monthly downloads. ~1,000 cloud environ