#russia

Three versions of the durabletask PyPI package (1.4.1, 1.4.2, 1.4.3), Microsoft’s Durable Task SDK for Python, were published on May 19, 2026 using a compromised PyPI API token.

The dropper downloads a stage-2 Python zipapp (rope.pyz) from attacker infrastructure and executes it with all output suppressed. The stage-2 is a full credential harvesting framework with dedicated collectors for AWS Secrets Manager and SSM Parameter Store, Azure Key Vault, GCP Secret Manager, Kubernetes secrets (across all contexts), HashiCorp Vault, and local password managers (1Password, Bitwarden, pass, gopass). It also reads over 90 sensitive files from disk, exfiltrates everything encrypted with RSA-4096/AES-256-GCM to a C2 server, and propagates itself to other hosts via AWS SSM SendCommand and kubectl exec.

The payload includes geopolitical targeting: it skips systems with a Russian locale and contains a destructive rm -rf /* routine targeting Israeli and Iranian systems.

Password Managers (collectors/passwords.py): Attempts to unlock 1Password, Bitwarden, pass, and gopass by brute-forcing passwords harvested from environment variables matching PASS, SECRET, KEY, BW_, OP_, _MASTER patterns, and from shell history (.bash_history, .zsh_history). On success, it dumps every item from every vault.

Filesystem (collectors/filesystem.py): Reads 90+ files including SSH keys, cloud credentials, Docker configs, npm/PyPI/Cargo/Gem tokens, kubeconfig, Terraform state files, VPN configurations (Tailscale state, WireGuard configs), MCP server configs (Claude Desktop, Cursor, VS Code, Zed, Codeium, Continue), and all .env files found under the home directory. Also extracts environment variables from all Docker containers via the Docker socket or CLI, and collects GitHub tokens via gh auth token.

and collects GitHub tokens via gh auth token.

For each token found, it creates a new public repository named with random Slavic folklore words (e.g., BABA-YAGA-KOSCHEI-742, description: “PUSH UR T3MPRR”) and uploads the encrypted data bundle as results.json. The attacker can later search GitHub for repositories matching these distinctive naming patterns to retrieve the exfiltrated data.

1. No trusted publishers. The project uses legacy API token authentication instead of PyPI’s OIDC trusted publisher mechanism. Trusted publishers bind publishing to a specific GitHub repository, workflow, and environment. A stolen token cannot publish from outside that workflow. This project has no such binding: anyone holding the token can upload any version from any machine.

Kubernetes (collectors/kubernetes.py): Parses kubeconfig (with a custom YAML parser, no PyYAML dependency), iterates every context, and dumps secrets from all namespaces. Supports in-cluster service account tokens, client certificate auth, and bearer tokens. If kubectl is not present, the collector downloads it from dl.k8s.io. After collecting secrets, it propagates the payload to up to 5 other running pods via kubectl exec.

The 2019 Trump–Ukraine political scandal arose primarily from the discovery of U.S. president Donald Trump's attempts to coerce Ukraine into investigating his political rival Joe Biden and thus potentially damage Biden's campaign for the 2020 Democratic Party presidential nomination. Trump enlisted surrogates in and outside his administration, including personal lawyer Rudy Giuliani and Attorney General William Barr, to pressure Ukraine and other governments to cooperate in supporting and legitimizing the Biden–Ukraine conspiracy theory and other conspiracy theories concerning U.S. politics.[1][2][3][4][5] Trump blocked payment of a congressionally-mandated $400 million military aid package, in an attempt to obtain quid pro quo cooperation from Ukrainian president Volodymyr Zelenskyy. Contacts were established between the White House and government of Ukraine, culminating in a phone call between Trump and Zelenskyy on July 25, 2019.

The White House corroborated allegations raised by the whistleblower. A transcript of the Trump–Zelenskyy call confirmed Trump requested investigations into Joe Biden and his son Hunter Biden, as well as a conspiracy theory involving a Democratic National Committee server, while urging Zelenskyy to work with Giuliani and Barr on this.

Former acting chief of staff Mick Mulvaney said one reason why Trump withheld aid to Ukraine was Ukrainian "corruption related to the DNC server", referring to a debunked theory that Ukrainians framed Russia for hacking into the DNC system.[12] Trump has publicly urged Ukraine and China to investigate the Bidens.[13] The Trump administration's top diplomat to Ukraine, Bill Taylor, testified he was told aid to Ukraine and a Trump–Zelenskyy White House meeting were conditional on Zelenskyy announcing investigations into the Bidens and alleged Ukrainian interference in the 2016 U.S. elections.

Trump was impeached on charges of abuse of power and obstruction of Congress,[18] but was acquitted by the Senate.

Maritime standoff

A standoff is occurring in the North Atlantic after U.S. forces seized a Russian-flagged tanker linked to Venezuela. US operation

U.S. authorities assert that the operation is part of efforts to enforce sanctions against Venezuela. Tanker identity changes

The vessel in question, formerly known as the Bella 1, reportedly evaded a previous U.S. blockade, refused Coast Guard boarding near Venezuela, and then altered its identity.

Towards the end of last year, federal prosecutors started examining two loans totaling $8m wired to Trump Media, through the Caribbean, from two obscure entities that both appear to be controlled in part by the relation of an ally of Russian president Vladimir Putin, the sources said.

The expanded nature of the criminal investigation, which has not been previously reported, threatens to delay the completion of the merger between Trump Media and DWAC, which would provide the company and Truth Social with up to $1.3bn in capital, in addition to a stock market listing.

Even if Trump Media and its officers face no criminal exposure for the transactions, the optics of borrowing money from potentially unsavory sources through opaque conduits could cloud Trump’s image as he seeks to recapture the White House in 2024.

The extent of the exposure for Trump Media and its officers for money laundering remains unclear. The statutes broadly require prosecutors to show that defendants knew the money was the proceeds of some form of unlawful activity and the transaction was designed to conceal its source.

But money laundering prosecutions are typically based on circumstantial evidence and can be based on materials that show that the money in question was unlikely to have legitimate origins, legal experts said.

The first $2m payment to Trump Media came in December 2021 when the company was on the brink of collapse after the planned merger with DWAC – that would have unlocked millions for the company – was delayed when the SEC opened an inquiry into whether the arrangement broke regulatory rules.

Trump Media needed a bridge loan to keep the company afloat. But it struggled to get financing until DWAC’s chief executive Patrick Orlando sourced a $2m loan wired from Paxum Bank registered in Dominica, according to the wire transfer receipt reviewed by the Guardian.

The wire transfer identified Paxum Bank as the beneficial owner, although the promissory note identified an entity ca

A Florida judge granted motions to dismiss to The Guardian and other defendants in a defamation lawsuit filed by Truth Social’s parent company, Truth Media & Technology Group Corp. (TMTG), the latest example of President Donald Trump’s legal actions against media companies not holding up in court.

The dispute arose from two articles published by the UK-based Guardian in March 2023 “reporting on a federal criminal investigation related to TMTGs receipt of two payments totaling $8 million,” Judge Hunter Carroll of the Twelfth Judicial Circuit Court for Sarasota County wrote in his order summarizing the case, including reports that “federal prosecutors in New York were conducting a money laundering investigation related to the payments, which were wired through the Caribbean from Paxum Bank and ES Family Trust, entities with ties to an ally of Russian president Vladimir Putin and a history of providing banking services to the sex worker industry,” and that the origins of the loans caused alarm at TMTG and TMTG’s then CFO weighed returning the money, but the money was ultimately not returned.”

How did the last security guarantees from the US (to give up nuclear weapons) work out for Ukraine?

The new Trump plan to end the war in Ukraine would grant Russia parts of eastern Ukraine it does not currently control, in exchange for a U.S. security guarantee for Ukraine and Europe against future Russian aggression, a U.S. official with direct knowledge told Axios.

the biggest takeaway was Trump’s willingness to add sanctions to those imposed under the Biden administration.

“This is the first set of sanctions from President Trump after he returned to the White House,” said Weafer. “And the fear now is that now that he’s broken, kind of like the seal, as it were, that if he is dissatisfied with any progress with Russia going forward, then he may come with more and more damaging sanctions.”

“So many of these measures have been implemented too slowly and ... a little bit at a time so that Russia has had time to adapt and to prepare and to prevent and to react,” Perrotta Berlin said.