The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised

The ink was barely dry on our coverage of the AntV Shai Hulud supply chain attack when a new compromise surfaced in the Python ecosystem. The target this time is durabletask, an open source Python package associated with Microsoft, used for building durable, fault-tolerant workflow orchestration on top of the Durable Task Framework.

The latest safe version of durabletask is 1.4.0, and three known versions have been yanked from the PyPI registry.

Snyk has cataloged this incident under SNYK-PYTHON-DURABLETASK-16761538, and the package's health page on Snyk reflects the current status of this package, which involves a malicious compromise.

What happened

A malicious version of durabletask was published to PyPI. The embedded payload is a dropper configured to fetch and execute a second-stage payload named rope.pyz from the attacker-controlled domain check.git-service[.]com. Researchers assess this malware as an evolution of the payload used in the compromise of the guardrails-ai package last week, which itself was linked to the broader Shai Hulud campaign.

The malicious version bundles three capabilities:

• Infostealer: harvests credentials from major cloud providers, password managers, and developer tooling, then exfiltrates data to the attacker's domain.

• Worm: attempts to propagate to additional packages or environments.

• Disk wiper: destructive capability that can irreversibly destroy data.

One important constraint: the stealer is configured to execute only on Linux systems. Developers running macOS or Windows are not at risk from the credential harvesting component, though the worm and wiper components may still be relevant depending on the environment.

Snyk customers have access to the "Active Security Incident Assessment for Antv Supply Chain Compromise - May 2026" Zero Day Report in-app, which covers this incident as part of the broader campaign.

Impact assessment

durabletask sees approximately 103,000 downloads per week with 1.7 million total downloads on PyPI. That is a relatively small footprint compared to the AntV packages affected yesterday (which collectively drew around 16 million weekly npm downloads). Snyk assesses the direct impact of this specific compromise as likely minimal, given the package's adoption profile.

That said, the signal here matters for a different reason. durabletask is a Microsoft-associated open source project. If this campaign is actively identifying and targeting packages maintained by or associated with major technology companies, the potential for future high-impact compromises within that same target set is real. The progression from guardrails-ai to the AntV ecosystem to a Microsoft package suggests the threat actors are broadening their targeting scope, not narrowing it.

Detection and remediation

Check whether durabletask appears in your Python dependency tree:

pip show durabletask

If installed, check the installed version against the PyPI release history and compare against the malicious version flagged in the Snyk advisory at security.snyk.io/vuln/SNYK-PYTHON-DURABLETASK-16761538.

Scan your projects with Snyk:

snyk test

If you installed a malicious version on a Linux system, treat credentials accessible from that environment as compromised. Rotate cloud provider keys, API tokens, and any secrets present in environment variables or config files reachable from the affected machine.