Microsoft's Python Durable Task Client Compromised by TeamPCP

💬 durabletask (Microsoft's Python Durable Task client) compromised by TeamPCP | same Mini Shai-Hulud payload as last week's TanStack waveTeamPCP has been active since March, compromising multiple packages in a supply chain campaign. The latest attack involved durabletask versions 1.4.1–1.4.3, which exfiltrated credentials from Vault, 1Password, Bitwarden, SSH keys, and Docker, while spreading via AWS SSM and kubectl exec. Previous targets included Trivy, LiteLLM, Telnyx SDK, TanStack packages, and others, with some attacks leveraging CI/CD secrets or steganography for payload delivery.