Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!

Three malicious versions of the `durabletask` PyPI package (1.4.1–1.4.3), associated with Microsoft's Azure Durable Task Framework, were found to contain a backdoor dropper injected into Python source files. On import, the dropper silently fetches a second-stage payload (`rope.pyz`) from a freshly registered C2 domain. The payload is a full-featured infostealer and worm that harvests credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, password managers, SSH keys, Docker, and AI developer tool configs. It propagates to other EC2 instances via AWS SSM and to Kubernetes pods via `kubectl exec`. A cryptographically authenticated GitHub dead-drop (using the string FIRESCALE) serves as a fallback C2 channel. On systems with Israeli or Iranian locale settings, there is a 1-in-6 chance the payload plays audio and then runs `rm -rf /*`. Detection artifacts, IOCs, and mitigation steps including credential rotation and network blocks are provided.