Potential malicious code execution in durabletask versions 1.4.1, 1.4.2, and 1.4.3

[BarElrom-UpWind]

Hi,
I’m reporting a suspected supply chain compromise affecting durabletask 1.4.1, 1.4.2, 1.4.3

These versions include import-time code that downloads and executes a remote payload: https://check.git-service[.]com/rope.pyz
Version details:

Version	Upload UTC	Injected files
1.4.1	        16:19            	__init__.py
1.4.2	16:49        	__init__.py, task.py
1.4.3	16:54          	__init__.py, task.py, entities/__init__.py, extensions/__init__.py, payload/__init__.py

IOCs
Payload SHA256: 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce
Payload URL: https://check.git-service[.]com/rope.pyz
C2/fallback: t.m-kosche[.]com

Please urgently investigate, yank the affected PyPI versions, publish a clean version, and advise users to rotate secrets and inspect systems where these versions were installed or imported.

[KunalSin9h]

We are also tracking it, Confirmed Supply chain attack.

Technical Details: https://safedep.io/malicious-durabletask-pypi-supply-chain-attack/

[torosent]

The packages are yanked and we are working on the rest of the mitigation

[BarElrom-UpWind]

Confirmed - It's supply chain attack:
https://www.upwind.io/feed/newly-discovered-durabletask-malware-targeted-kubernetes-cloud-secrets-and-ci-cd-infrastructure

[ashishkurmi]

Thanks to @torosent and the maintainers for the swift response in yanking the affected packages.
We have shared our findings here: https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack