Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
The Python package repository (PyPI) has been actively targeted in a sophisticated campaign where three progressively modified, compromised versions of a Microsoft-adjacent package, durabletask, were uploaded by malicious actors. The threat intelligence team discovered that these poisoned packages contain a full-featured info-stealer derived from the notorious "Mini Shai-Hulud" family. The malware is specifically engineered to propagate through cloud environments, systematically sweeping across Amazon Web Services (AWS) and Kubernetes configurations. It aggressively targets every cloud credential, cluster token, and access configuration it can locate. Once the data is compiled, it is exfiltrated to an external command and control server before the malware wipes local disks on targeted Israeli and Iranian systems, adding a destructive component to the data theft.Organizations utilizing the durabletask package in Python applications must instantly audit their build dependencies and pin their applications to verified, authentic upstream versions. All Kubernetes cluster configurations, secrets manifests, and AWS access keys used within environments where the compromised package was pulled must be immediately revoked and rotated. Deploying immutable container images and enforcing read-only root filesystems will help neutralize the destructive disk-wiping capabilities of the malware.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.
Related Articles





