Malicious PyPI Package 'torch-inspector' Steals Cloud Credentials and SSH Keys
Overview
A sophisticated supply chain attack targeted the AI/ML community through a malicious package named `torch-inspector` published on the Python Package Index (PyPI). Disguised as a debugging and inspection tool for PyTorch tensors, the package contained a hidden malicious payload within its `setup.py` script. The attack was initiated upon installation via `pip install torch-inspector`. The setup script contained obfuscated code that, once executed, performed a detailed scan of the user's home directory. It specifically searched for sensitive files, including AWS credentials (`~/.aws/credentials`), Google Cloud SDK credentials, Azure CLI profiles, and private SSH keys (`~/.ssh/id_rsa`). Upon finding these files, the payload would compress them and exfiltrate the data to a command-and-control (C2) server using a DNS-over-HTTPS tunnel to evade simple network firewalls. This incident is an example of a growing trend of targeting AI developers, who often have privileged access to valuable cloud computing resources and sensitive datasets. The package was promoted on forums and social media, leveraging typo-squatting against a similarly named legitimate tool. The impact is critical, as the stolen credentials provide attackers with direct access to cloud infrastructure, enabling data theft, model poisoning, and deployment of cryptomining malware.
Affected Systems
Testing Guide
1. Scan your project's dependencies for the package `torch-inspector` or similarly suspicious names. 2. Run `pip-audit` against your Python environment or `requirements.txt` file. 3. Manually inspect the `setup.py` or installation scripts of unfamiliar packages for obfuscated code or network activity. 4. Monitor outbound network traffic from developer machines during package installation for connections to unusual endpoints.
Mitigation Steps
1. **Vet all dependencies** before installation. Use tools like `pip-audit` or Snyk to scan for known vulnerabilities and malicious packages. 2. **Pin dependency versions** in `requirements.txt` or `pyproject.toml` using a lockfile (`poetry.lock`, `Pipfile.lock`) to prevent unexpected updates from compromised packages. 3. **Use a private package repository** (e.g., Artifactory, Nexus) to host a curated set of approved open-source packages. 4. **Isolate development environments** using containers or virtual machines to limit the blast radius of a compromised dependency. 5. **Implement strict IAM roles** with short-lived credentials instead of storing static keys in developer home directories.
Patch Details
The malicious package was removed from PyPI by the security team upon discovery. However, developers who already installed it remain compromised.