Credential Stealing via Malicious `torchtriton` Package on PyPI
Overview
A malicious package named `torchtriton` was discovered on the Python Package Index (PyPI), typosquatting the legitimate `triton` library used for GPU programming within the PyTorch ecosystem. The package was often installed as a dependency of other fraudulent packages. When developers installed this malicious package, typically via a `pip install` command, a malicious `setup.py` script was executed as part of the installation process. This script contained obfuscated code designed to steal sensitive information from the developer's machine and developer environments. It would scan for and exfiltrate environment variables, shell history files (`.bash_history`, `.zsh_history`), and secrets from common configuration directories, including SSH keys (`~/.ssh`), Kubernetes configurations (`~/.kube/config`), and cloud provider credentials (`~/.aws/`, `~/.gcp/`). The stolen data was then base64-encoded and transmitted via DNS or HTTP requests to a command-and-control server controlled by the attacker. This attack highlights the significant supply chain risk for AI/ML developers, who often rely on a complex web of open-source dependencies. The incident prompted the PyTorch security team to issue advisories and work with PyPI administrators to remove the offending packages, reinforcing the need for dependency scanning and verification in all development and MLOps pipelines.
Affected Systems
Testing Guide
1. **Check for Malicious Package**: Run the command `pip show torchtriton`. If the package is installed, your system has been compromised. Immediately rotate all credentials. 2. **Review Pip History**: Examine your shell history for `pip install` commands that may have included typos or unfamiliar package names. 3. **Scan Dependencies**: Run `pip-audit` in your project's virtual environment to check for this and other known vulnerable packages.
Mitigation Steps
1. **Vet Dependencies**: Before adding a new dependency, verify its authenticity. Check for official sources, download statistics, and signs of legitimacy on PyPI. 2. **Use Lockfiles**: Use `pip-tools` or `poetry` to generate and pin dependency versions in a lockfile (`requirements.txt` or `poetry.lock`). This prevents unexpected packages from being installed. 3. **Audit Installed Packages**: Regularly audit the packages in your environment. Run `pip list` and compare against your declared dependencies to find unexpected packages. 4. **Use Scanners**: Integrate a dependency scanner like `pip-audit` or commercial equivalents into your CI/CD pipeline to automatically check for known malicious packages or vulnerabilities.
Patch Details
The malicious package `torchtriton` and its dependents were removed from the PyPI registry. No patch is required if you did not install the package.