GitHub is investigating unauthorized access to its internal repositories, while at the same time the TeamPCP group is continuing a large-scale supply chain attack campaign — the official Microsoft Python package durabletask (versions 1.4.1, 1.4.2, and 1.4.3), which is downloaded about 417,000 times per month, has been compromised. The malicious code is triggered automatically when the package is imported, without any visible signs of compromise. Any machine or CI/CD pipeline where an infected version was installed should be treated as fully compromised.

Incident involving GitHub internal repositories

As reported by GitHub, at this time there is no evidence that customer data stored outside the platform’s internal repositories — including enterprise accounts, organizations, and user repositories — has been affected. The company stated that it is monitoring its infrastructure for further suspicious activity and promised to notify customers via established incident response channels if any impact is identified.

It should be noted that details of the alleged offer to sell GitHub source code are based on screenshots published by Dark Web Informer and have not been independently verified. According to these screenshots, the TeamPCP group claimed it is not seeking to extort anyone: the data will either be sold to a single buyer and then deleted, or released for free. The authenticity of these claims and the actual scope of the leak remain unconfirmed at the time of publication.

Compromise of the durabletask package: technical analysis

In parallel with the GitHub incident, TeamPCP’s campaign, known as Mini Shai-Hulud, continues to expand. According to researchers at Wiz, the attackers compromised a GitHub account during a previous attack, extracted secrets from an accessible repository, and obtained a PyPI token for the direct publication of malicious versions of the durabletask package — the official Python client for Microsoft’s Durable Task framework.

The infection chain is as follows:

1. The malicious package contains a dropper that automatically downloads a second-stage payload (rope.pyz) from an external server, check.git-service[.]com, when the package is imported.
2. The payload is a fully featured infostealer with a size of 28 KB that runs exclusively on Linux systems.
3. The stealer collects credentials for cloud providers, password managers, and development tools, and then exfiltrates them to a domain controlled by the attackers.

Stealer capabilities

According to analysis by SafeDep, the malware targets a wide range of secrets:

• Reading HashiCorp Vault KV secrets
• Unlocking and dumping 1Password and Bitwarden password vaults
• Access to SSH keys, Docker credentials, and VPN configurations
• Collection of shell command history

Propagation mechanisms

As reported by Aikido Security, the malware is capable of self-propagation in cloud environments. In AWS it spreads to other EC2 instances via SSM, using SendCommand with the AWS-RunShellScript document to execute the payload on up to five instances per profile. In Kubernetes environments, propagation occurs via kubectl exec.

According to StepSecurity, the propagation script downloads the payload from the main C2 server, using the fallback domain t.m-kosche[.]com if the primary server is unavailable.

The FIRESCALE mechanism deserves special attention — it is a fallback method for discovering the C2 address. The malware searches public GitHub commit messages for the pattern FIRESCALE <base64_url>.<base64_signature> and extracts the address of the command-and-control server from it. This allows the attackers to change their infrastructure dynamically without updating the malware itself.

In addition, Aikido Security researchers discovered destructive logic: if Israeli or Iranian system locales are detected, there is a 1-in-6 chance that the malware will play an audio recording and execute the rm -rf /* command, wiping all data on the disk.

TeamPCP campaign context

According to Wiz researchers, the malicious payload in durabletask is an evolution of the code used to compromise the guardrails-ai package a week earlier. Since the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. The Mini Shai-Hulud campaign demonstrates a systematic approach to supply chain attacks: compromising a single account leads to a cascading takeover of related resources.

Indicators of compromise

• C2 domain: check.git-service[.]com
• Fallback C2 domain: t.m-kosche[.]com
• Affected package versions: durabletask 1.4.1, 1.4.2, 1.4.3
• Second-stage payload: rope.pyz

Response recommendations

1. Immediately check whether durabletask versions 1.4.1–1.4.3 are installed in your environments and CI/CD pipelines. Use pip show durabletask or review your dependency files.
2. Treat as compromised any machine where an infected version was imported. As noted by Endor Labs, the malicious code runs automatically upon import with no visible indicators.
3. Rotate all secrets — cloud credentials, API tokens, SSH keys, and password manager passwords — that were accessible from the compromised environment.
4. Inspect your AWS environments for unauthorized SSM SendCommand invocations and suspicious processes on EC2 instances.
5. Block the domains check.git-service[.]com and t.m-kosche[.]com at the DNS and network filter levels.
6. Implement version pinning and package hash verification in your build pipelines to prevent automatic installation of compromised updates.

Given the self-propagating nature of Mini Shai-Hulud and the scale of durabletask downloads (417,000 per month), the immediate priority should be to check all environments for infected versions of the package, followed by complete secret rotation. Organizations using GitHub should monitor the platform’s official notification channels for updates on the investigation into the internal repository incident.