Trojanized Microsoft SDK: durabletask 1.4.1 through 1.4.3 Deliver Credential-Stealing Malware
Source: Endorlabs
Published:
<p>Malicious PyPI package durabletask 1.4.1-1.4.3 steals AWS, Azure, and GCP credentials on import. 417k monthly downloads affected.</p> <p>On May 19, 2026, Endor Labs detected three trojanized versions of durabletask , the official Python SDK for Microsoft's Azure Durable Functions. Versions 1.4.1,