Malicious PyPI Package `tensor-flow-nightly` Exfiltrates Cloud Credentials
Overview
A sophisticated supply chain attack was identified targeting AI and machine learning developers through the Python Package Index (PyPI). A malicious package named `tensor-flow-nightly`, a typosquat of the popular `tf-nightly` package, was uploaded and downloaded thousands of times before being removed. The package contained a malicious `setup.py` script that executed upon installation via `pip`. The script was heavily obfuscated and contained a multi-stage payload. The first stage profiled the host environment, checking for the presence of `~/.aws/credentials`, `~/.kube/config`, and environment variables like `OPENAI_API_KEY`, `HUGGING_FACE_HUB_TOKEN`, and `AWS_SECRET_ACCESS_KEY`. If sensitive credentials were found, a second stage payload was downloaded from a remote server. This payload would then exfiltrate the stolen secrets by encoding them and embedding them in a series of DNS requests to an attacker-controlled domain, a technique used to bypass firewall egress filtering. This attack is particularly dangerous because it compromises the developer's machine and provides the attacker with direct access to cloud infrastructure, model repositories, and paid AI APIs, leading to potential data breaches, infrastructure abuse, and significant financial loss. The incident underscores the critical need for dependency scanning and verification in modern AI development workflows.
Affected Systems
Testing Guide
1. **Check Installed Packages**: Run `pip freeze | grep tensor-flow-nightly` in your virtual environments to see if the malicious package is installed. 2. **Review Shell History**: Check your shell history for installation commands targeting the typosquatted package name. 3. **Audit DNS Logs**: If possible, review network or DNS logs for suspicious requests to unknown domains originating from developer workstations or build servers around the time of installation.
Mitigation Steps
1. **Verify Package Names**: Always double-check package names for typos before installation. 2. **Use Dependency Scanning Tools**: Integrate tools like `pip-audit` or commercial equivalents into CI/CD pipelines to check for known malicious or vulnerable packages. 3. **Pin Dependencies**: Use a lockfile (e.g., `requirements.txt` with hashed versions or `poetry.lock`) to ensure you are installing known, vetted versions of dependencies. 4. **Isolate Build Environments**: Run installation and build processes in ephemeral, network-restricted environments to limit the potential impact of a malicious script. 5. **Use Scoped Credentials**: Avoid storing long-lived, high-privilege credentials on developer machines. Use temporary credentials where possible.
Patch Details
The malicious package was removed from the PyPI registry by the security team after being reported.