Back

TeamPCP Compromises Microsoft DurableTask and GitHub Actions in Supply Chain Attack

Severity: High (Score: 74.0)

Sources: Wiz, www.sysdig.com, Cybersecuritynews, Gbhackers

Published: 2026-05-20 · Updated: 2026-05-20

Keywords: teampcp, compromise, durabletask, supply, chain, trivy, github

Severity indicators: supply chain compromise, supply chain

Summary

The TeamPCP threat group has expanded its supply chain attack campaign, compromising the Microsoft DurableTask Python client with versions v1.4.1, v1.4.2, and v1.4.3 found to contain a credential-stealing worm. This follows a prior attack on Aqua Security's Trivy vulnerability scanner, where malicious payloads were injected into CI/CD pipelines. The same credential-stealing method was observed in Checkmarx's GitHub Action shortly after the Trivy incident. The attacks involved the use of typosquatting techniques to redirect exfiltrated data to deceptive domains. Security researchers from Wiz confirmed the malicious nature of the DurableTask packages, leading to their quarantine on PyPI. Organizations using these tools are advised to rotate credentials and audit their CI/CD environments for potential exposure. The ongoing nature of these attacks highlights the vulnerabilities in software supply chains and the need for heightened security measures. Key Points: • TeamPCP compromised Microsoft DurableTask versions 1.4.1 to 1.4.3, injecting malicious code. • The attack pattern was similar to a prior compromise of Aqua Security's Trivy vulnerability scanner. • Organizations are urged to rotate credentials and audit CI/CD environments for exposure.

Detailed Analysis

**Impact** Thousands of repositories using Aqua Security’s Trivy and Checkmarx GitHub Actions were compromised, exposing CI/CD secrets including GitHub personal access tokens. Additionally, three versions (1.4.1, 1.4.2, 1.4.3) of Microsoft’s DurableTask Python client on PyPI were poisoned, affecting users of this official workflow SDK. The attack potentially impacts organizations relying on these tools globally, with risks including credential theft, cloud resource access, and propagation of malicious code across development pipelines. **Technical Details** TeamPCP conducted supply chain attacks by force-pushing malicious commits to trusted GitHub Action tags (Trivy and Checkmarx), injecting a multi-stage credential stealer that exfiltrates secrets to typosquat domains. The stealer harvests credentials from CI runner memory, enabling further poisoning of additional actions. The DurableTask compromise involved publishing malicious PyPI packages using stolen GitHub secrets and PyPI tokens. The malware retrieves AWS temporary credentials via Instance Metadata Service and searches for Slack/Discord webhooks. Key IOCs include typosquat domains (e.g., scan.aquasecurtiy[.]org), filenames like tpcp.tar.gz, and persistence markers such as ~/.cache/.sys-update-check. **Recommended Response** Immediately rotate all exposed credentials, including GitHub tokens, AWS IAM credentials, cloud service accounts, and password manager secrets. Audit CI/CD workflows for references to compromised action versions and enforce commit SHA pinning instead of tag references. Block outbound traffic to identified typosquat domains and known C2 endpoints (e.g., check.git-service.com, t.m-kosche.com). Monitor for presence of infection markers (~/.cache/.sys-update-check) and running suspicious python3 /tmp/managed.pyz processes. Review cloud audit logs for unusual SSM and Kubernetes exec activity.

Source articles (4)

  • Teampcp Expands Supply Chain Compromise Spreads From Trivy To Checkmarx Github Actions — www.sysdig.com · 2026-05-20
    On March 19, 2026, the threat actor known as TeamPCP compromised Aqua Security's Trivy vulnerability scanner and its associated GitHub Actions, injecting a credential-stealing payload into CI/CD pipel…
  • Microsoft DurableTask Python Client Targeted in TeamPCP Cyberattack — Gbhackers · 2026-05-20
    The ongoing TeamPCP software supply chain campaign has compromised the official Microsoft DurableTask Python client, a widely used package for orchestrating workflows in Python applications. Three ver…
  • Microsoft Python Client DurableTask Compromised by TeamPCP Hackers — Cybersecuritynews · 2026-05-20
    Three consecutive releases of Microsoft’s official Python workflow SDK were poisoned with a multi-cloud credential-stealing worm, continuing the group’s relentless 2026 supply chain campaign. The Team…
  • durabletask: TeamPCP's Latest PyPi Compromise — Wiz · 2026-05-19
    The supply chain campaign linked to TeamPCP continues with the compromise of durabletask v1.4.1 , v1.4.2 , and v1.4.3 . DurableTask is the official Microsoft Python client for the Durable Task workflo…

Timeline

  • 2026-03-19 — TeamPCP compromises Aqua Security's Trivy: Malicious payloads were injected into CI/CD pipelines affecting thousands of repositories.
  • 2026-05-11 — Guardrails-ai package compromised: A similar credential-stealing payload was deployed in the guardrails-ai package, indicating a pattern.
  • 2026-05-19 — DurableTask package quarantined: Versions v1.4.1, v1.4.2, and v1.4.3 of DurableTask were identified as malicious and quarantined by PyPI.
  • 2026-05-20 — TeamPCP targets Checkmarx GitHub Action: An identical credential-stealing payload was observed in Checkmarx's GitHub Action shortly after the Trivy attack.
  • 2026-05-20 — Cybersecurity news reports on DurableTask compromise: Multiple news outlets reported on the ongoing TeamPCP campaign and its impact on Microsoft’s DurableTask.

Related entities

  • TeamPCP (Apt Group)
  • Supply Chain Attack (Attack Type)
  • Worm (Attack Type)
  • Aqua Security (Company)
  • Checkmarx (Company)
  • Microsoft (Company)
  • AWS (Company)
  • Azure (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • aquasecurtiy.org (Domain)
  • check.git-service.com (Domain)
  • scan.aquasecurtiy.org (Domain)
  • TeamPCP Cloud Stealer (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Discord (Platform)
  • GCP (Platform)
  • GitHub (Platform)
  • Kubernetes (Platform)
  • Linux (Platform)
  • PyPI (Platform)
  • Slack (Platform)
  • Bitwarden CLI (Platform)
  • GitHub Actions (Tool)
  • Python (Tool)
  • Trivy (Tool)
  • 1Password CLI (Tool)
  • Curl (Tool)
  • Kubectl (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed