Credential Theft via Malicious PyPI Package 'huggingface-cli-pro'
Overview
A malicious package named `huggingface-cli-pro` was discovered on the Python Package Index (PyPI). The package was a typosquat of the popular `huggingface-hub` library, targeting AI and ML developers who might misspell the name or be lured by the promise of 'pro' features. Upon installation via `pip install huggingface-cli-pro`, the package's `setup.py` script would execute a malicious payload. This payload was designed to be stealthy, first checking for the presence of a virtual machine or debugger. If none was detected, it would scan the user's home directory for sensitive files and environment variables. Specifically, it searched for `~/.ssh/id_rsa`, `~/.aws/credentials`, `~/.git-credentials`, and environment variables like `OPENAI_API_KEY`, `HUGGING_FACE_HUB_TOKEN`, and `GOOGLE_APPLICATION_CREDENTIALS`. All discovered credentials and keys were then base64 encoded and exfiltrated via a DNS query to an attacker-controlled domain, a technique used to bypass firewall egress rules. The attack was discovered after developers reported unexpected network traffic from their build servers. This incident highlights the significant supply chain risk for the AI ecosystem, where developers frequently install numerous third-party packages.
Affected Systems
Testing Guide
1. **Check Installation History:** Review your shell history (`history | grep pip`) and project dependency files for the package `huggingface-cli-pro` or other similarly suspicious names. 2. **Scan Installed Packages:** Run `pip list` to see all installed packages in your environment and visually inspect them for typos or unexpected names. 3. **Monitor Network Traffic:** During `pip install` or CI/CD builds, monitor outgoing network traffic, especially unusual DNS queries, which could indicate data exfiltration.
Mitigation Steps
1. **Audit Dependencies:** Regularly use tools like `pip-audit` or `safety` to scan your project's dependencies for known vulnerabilities and malicious packages. 2. **Pin Dependencies:** Use a requirements file (`requirements.txt`) or `poetry.lock`/`Pipfile.lock` to pin exact versions of your dependencies to prevent automatic installation of a compromised newer version. 3. **Vet Packages:** Before installing a new package, inspect its metadata on PyPI (e.g., release history, author, GitHub link) for signs of illegitimacy. For critical projects, consider reviewing the package's source code. 4. **Use Isolated Environments:** Install packages in isolated virtual environments to prevent a malicious package from accessing system-wide files.
Patch Details
The malicious package was removed from the PyPI registry by the PyPA security team within hours of being reported.