Malicious PyPI Package 'torch-optimizer' Mimics Popular Library to Steal ML Model Weights and Cloud Credentials
Overview
A sophisticated supply chain attack was discovered targeting AI and machine learning developers through the PyPI repository. The attacker published a package named `torch-optimizer`, a deliberate typosquat of the popular `torch-optim` library. The malicious package contained the full functionality of the original library to avoid immediate detection, but also included an obfuscated payload in its `setup.py` file. This payload was activated upon installation (`pip install torch-optimizer`). It would scan the developer's machine for sensitive information, specifically targeting directories like `~/.aws/`, `~/.gcp/`, and `~/.ssh/` for cloud credentials and SSH keys. Furthermore, the malware searched for common ML file extensions like `.pt`, `.pth`, and `.safetensors`, exfiltrating model weight files under a certain size. All collected data was base64-encoded and sent to an attacker-controlled server via a DNS tunnel to bypass egress firewalls. The attack proved highly effective as many developers, relying on autocomplete or slightly incorrect documentation, installed the malicious package without realizing their error. This incident highlights the significant risk of supply chain attacks in the rapidly growing AI ecosystem, where developers frequently install numerous third-party libraries.
Affected Systems
Testing Guide
1. Run the command `pip list --format=json` to get a list of all installed Python packages. 2. Carefully examine the list for packages with names that are common misspellings of popular libraries (e.g., `torch-optimizer` instead of `torch-optim`, `djanga` instead of `django`). 3. If a suspicious package is found, use a tool like `pip show -f <package-name>` to inspect its files and location. Look for suspicious code in `setup.py` or `__init__.py` files.
Mitigation Steps
1. **Audit Dependencies:** Use `pip freeze` to list all installed packages and manually review them for potential typos or suspicious names. Remove any unknown or misspelled packages. 2. **Use Lock Files:** Enforce the use of lock files (`requirements.txt` with hashed versions, `poetry.lock`, `Pipfile.lock`) to ensure that only vetted package versions are installed in CI/CD and production. 3. **Scan Packages:** Integrate automated package scanning tools like `pip-audit`, Snyk, or Trivy into your development lifecycle to detect known malicious packages or vulnerabilities. 4. **Restrict Permissions:** Run development and CI/CD environments with the least privilege necessary, limiting access to sensitive credentials.
Patch Details
The malicious package 'torch-optimizer' was removed from the PyPI registry on 2025-07-23 after being reported.