durabletask: TeamPCP's Latest PyPi Compromise

A supply‑chain campaign attributed to TeamPCP compromised the Microsoft DurableTask Python package (durabletask v1.4.1–v1.4.3) by using a dumped GitHub secret/PyPI token to publish malicious wheels that deploy rope.pyz; the payload steals cloud and local credentials (AWS/Azure/GCP/K8s/Vault/password managers), brute‑forces password managers, propagates (SSM/K8s, up to 5 targets/host), and calls C2 domains `check.git-service.com` and `t.m-kosche.com`. The advisory includes file and hash IOCs, network indicators, runtime artifacts (`/tmp/managed.pyz`, `/tmp/rope-*.pyz`, `~/.cache/.sys-update-check`), and remediation steps (search lockfiles/CI logs, check for infection markers and running `/tmp/managed.pyz`, rotate credentials, audit SSM/K8s activity, and block C2 domains).