Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Microsoft Python SDK Compromised by TeamPCP Hackers

Microsoft Python SDK Compromised by TeamPCP Hackers

Posted on May 20, 2026 By CWS

Security researchers have identified a significant breach involving Microsoft’s official Python workflow SDK. The TeamPCP hacking group has reportedly infiltrated three versions of this SDK, embedding a multi-cloud credential-stealing worm as part of an ongoing supply chain campaign in 2026.

TeamPCP Targets Microsoft SDK

TeamPCP, also known by aliases PCPcat and DeadCatx3, has been an active threat in 2026, focusing on supply chain vulnerabilities. Their latest target, the Microsoft Python client for the Durable Task framework, has been compromised in versions 1.4.1 through 1.4.3, according to cybersecurity firm Wiz. The compromised packages have been quarantined by PyPI following the discovery.

The group’s campaign, dubbed Mini Shai-Hulud, initially targeted Aqua Security’s Trivy scanner in March and has since expanded to affect Checkmarx GitHub Actions, LiteLLM, and numerous npm packages. On May 19, 2026, TeamPCP further extended its reach by compromising over 300 packages within the @antv npm ecosystem.

Technical Details of the Breach

Wiz’s analysis indicates that the attack on the durabletask client occurred shortly after a similar breach of guardrails-ai on May 11. The infection chain traces back to the @antv npm ecosystem compromise. A GitHub account involved in these attacks was found to have targeted the microsoft/durabletask-python repository, with malicious activities recorded between 15:08 UTC and 15:16 UTC.

The attackers managed to infiltrate the GitHub account using previously obtained credentials, which allowed them to publish compromised versions to PyPI, bypassing standard code review protocols. The malware, named rope.pyz, is an evolution of an earlier payload used in previous attacks, targeting Linux systems and spreading through multiple entry points.

Impact and Security Measures

The malware executes a broad credential theft operation, impacting AWS IAM credentials, Azure service accounts, GCP tokens, and more. It further spreads through AWS SSM and Kubernetes, potentially affecting multiple systems per compromised host. The attackers have also advanced their command and control infrastructure, now utilizing domain-based servers with SSL verification.

Security teams are advised to audit systems for compromised versions of the durabletask package, inspect for infection markers, and rotate all potentially exposed credentials. Blocking access to identified malicious command and control domains, such as check.git-service.com, is also recommended to mitigate further risks.

Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X.

Cyber Security News Tags:AWS, Azure, cloud security, Cybersecurity, GCP, GitHub, Hackers, Kubernetes, Linux, Malware, Microsoft, PyPI, Python SDK, supply chain attack, TeamPCP

Post navigation

Previous Post: 1Password and OpenAI Enhance Security for AI Coding Tools
Next Post: Is Your Business Prepared for Agent AI Challenges?

Related Posts

Password Reset Poisoning Attack Allows Account Takeover Using the Password Reset Link Password Reset Poisoning Attack Allows Account Takeover Using the Password Reset Link Cyber Security News
Microsoft Outlook Users Face Crashes When Creating New Emails, Temp Fix Issued Microsoft Outlook Users Face Crashes When Creating New Emails, Temp Fix Issued Cyber Security News
SentinelOne Global Service Outage Root Cause Revealed SentinelOne Global Service Outage Root Cause Revealed Cyber Security News
Google to Add New Layer of Developer Verification to Distribute Apps on Play Store Google to Add New Layer of Developer Verification to Distribute Apps on Play Store Cyber Security News
Android Spyware Catwatchful Exposes Credentials of Over 62,000+ Customer Accounts Android Spyware Catwatchful Exposes Credentials of Over 62,000+ Customer Accounts Cyber Security News
Malicious Code in mistralai PyPI Package Endangers Users Malicious Code in mistralai PyPI Package Endangers Users Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Enhances Windows 11 OOBE with New Update
  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Enhances Windows 11 OOBE with New Update
  • Government Pays $1M to Prevent Data Leak by Kairos Group
  • North Korean Hackers Launch PolinRider Campaign
  • Critical ‘Bad Epoll’ Flaw Risks Linux and Android Security
  • PamStealer Targets macOS Users via Fake Clipboard Manager

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark