Malicious PyPI Package 'torch-ops-ext' Steals AWS Credentials and Model Weights
Overview
A sophisticated supply chain attack targeted AI/ML developers through a malicious package named 'torch-ops-ext' published on the Python Package Index (PyPI). The package masqueraded as a performance extension for PyTorch, using typosquatting and a convincing README to lure developers. The malicious code was hidden within the `setup.py` file, which executed upon installation via `pip install`. The payload was heavily obfuscated and performed several malicious actions. First, it scanned the host environment for sensitive credentials, targeting `~/.aws/credentials`, `~/.gcp/`, and environment variables like `AWS_SECRET_ACCESS_KEY` and `HUGGING_FACE_TOKEN`. Second, it recursively searched the filesystem for common model file extensions such as `.pt`, `.pth`, and `.safetensors`. All discovered credentials and model files were archived and exfiltrated to an attacker-controlled command-and-control (C2) server. This attack posed a significant risk of intellectual property theft and unauthorized access to cloud infrastructure, particularly impacting CI/CD pipelines where service account credentials are often exposed.
Affected Systems
Testing Guide
1. **Check for Presence:** Run `pip freeze | grep torch-ops-ext` in your environment to see if the package is installed. 2. **Review Logs:** Examine CI/CD build logs and local shell history for installations of the package. 3. **Monitor Network Traffic:** Analyze network logs from developer machines and build servers for suspicious outgoing connections to unknown IP addresses during the time of package installations.
Mitigation Steps
1. **Remove the Package:** Immediately run `pip uninstall torch-ops-ext` and verify its removal. 2. **Audit Dependencies:** Use tools like `pip-audit` or Snyk to scan your project's dependencies for known vulnerabilities and malicious packages. 3. **Rotate Credentials:** Immediately rotate all cloud credentials (AWS, GCP, etc.) and API tokens (Hugging Face, OpenAI) found on affected systems. 4. **Use Pinned Dependencies:** Pin package versions in `requirements.txt` or `pyproject.toml` and use a hash-checking mode (`pip install --require-hashes ...`) to ensure integrity. 5. **Isolate Build Environments:** Run installation commands in sandboxed or ephemeral environments with restricted network access.
Patch Details
The malicious package 'torch-ops-ext' and its subsequent versions were removed from PyPI by the security team on 2025-07-23.