durabletask 1.4.1, 1.4.2, and 1.4.3 contain malicious code distributed via a compromised maintainer account

durabletask versions 1.4.1, 1.4.2, and 1.4.3 were published on 2026-05-19 within a35-minute window through a compromised PyPI maintainer account and containedmalicious code.On import, the package fetched a remote payload rope.pyz from anattacker-controlled host and executed it.The payload was a...