Developers who installed the nightly builds of PyTorch between December 25 and 30, 2022, are advised to uninstall it and purge the pip cache to get rid of the malicious package, PyTorch maintainers report. The new attack highlights a recent trend, Infoq wrote on the topic.
The downstream attack stems from a malicious dependency that was inserted into PyPi with the same name as the one that ships with PyTorch nightly.
“Since the PyPI index takes precedence, this malicious package was installed instead of the version from our official repository. This design allows someone to register a package with the same name as one that exists in the third-party index, and pip will install its default version.”
The malicious package, called torchtriton, includes a binary file that, in addition to exfiltrating system information such as hostname, DNS configuration, username, and shell environment, also uploads the contents of /etc/hosts, /etc/passwords, ~/.gitconfig, ~/.ssh/*, and the first 1,000 files found in users’ home directories. However, the information is only exfiltrated when the user explicitly imports the triton package into their program, which reduces the impact of the attack and the ability for mass distribution.
Following the official disclosure, the alleged torchtriton maintainer said on its website that the package was not intended for malicious activity, Aks Sharma also reported on Twitter. Analyzing the attack for Bleeping Computer, however, Sharma also revealed that torchtriton used anti-virtual machine techniques as well as obfuscation to evade detection.
PyTorch maintainers immediately took action to remove torchtriton as a dependency and replace it with pytorch-triton along with a dummy package registered with PyPi to ensure the attachment would not recur.