Malicious Code Execution via Compromised `torch-optimizer` PyPI Package Targeting AI Developers
Overview
A sophisticated supply chain attack was identified where a popular PyPI package, `torch-optimizer`, used by thousands of AI developers for advanced PyTorch model optimization, was compromised. Attackers gained access to the package maintainer's account and published several malicious versions. The compromised package contained a malicious `setup.py` file with an obfuscated payload that executed upon installation (`pip install torch-optimizer`). The payload was designed to be stealthy, first checking if it was running in a virtualized environment or a CI/CD runner. If not, it proceeded to exfiltrate sensitive information from the developer's machine, including environment variables (targeting `AWS_ACCESS_KEY_ID`, `OPENAI_API_KEY`), SSH keys from the `~/.ssh` directory, and Kubernetes configuration files. The stolen data was base64 encoded and sent to a command-and-control (C2) server via a DNS tunnel to evade network detection. This attack underscores the significant supply chain risk within the AI ecosystem, as developers frequently rely on a vast web of open-source dependencies. The compromise of a single, popular package can lead to widespread breaches across individuals, startups, and large enterprises engaged in AI development, giving attackers access to sensitive models, training data, and cloud infrastructure.
Affected Systems
Testing Guide
1. **Check Installed Version:** Run `pip show torch-optimizer` in your environment. If the version is `0.4.1` or `0.4.2`, assume you are compromised. 2. **Review Installation Logs:** Check the logs from your `pip install` commands. The malicious package may have printed unusual messages or made unexpected network calls during installation. 3. **Network Traffic Analysis:** If possible, analyze historical DNS and network logs from developer machines or CI/CD runners for suspicious outbound connections around the time of installation. 4. **Credential Rotation:** If a vulnerable version was installed, immediately rotate all potentially exposed credentials, including API keys, SSH keys, and cloud access tokens.
Mitigation Steps
1. **Pin Dependencies:** Use a dependency management tool like `pip-tools` or `Poetry` to pin exact, known-good versions of your dependencies in a `requirements.txt` or `poetry.lock` file. 2. **Audit Dependencies:** Regularly scan your project's dependencies for known vulnerabilities using tools like `pip-audit` or Snyk. 3. **Use Private Registries:** For enterprise environments, consider using a private PyPI mirror (e.g., Artifactory, Nexus) that vets and approves packages before making them available to developers. 4. **Isolate Build Environments:** Always perform package installations and builds in isolated, ephemeral environments (like Docker containers) with no access to sensitive credentials or network resources.
Patch Details
Malicious versions were removed from PyPI by the security team. A clean version, 0.4.3, was published by the original maintainer after regaining control of the account.