Malicious PyPI Package `torch-optimizer` Steals Cloud and Git Credentials from AI/ML Environments
Overview
A sophisticated supply chain attack was identified involving a malicious package named `torch-optimizer` uploaded to the Python Package Index (PyPI). The package typosquatted the legitimate and popular `torch_optimizer` library, deceiving developers with a similar name. The malicious package contained a harmful `setup.py` script that executed upon installation (`pip install torch-optimizer`). This script contained obfuscated code designed to scan the developer's machine and CI/CD environment for sensitive credentials. It specifically searched for environment variables (e.g., `AWS_SECRET_KEY`, `GOOGLE_APPLICATION_CREDENTIALS`, `HF_TOKEN`) and configuration files (e.g., `~/.aws/credentials`, `~/.gitconfig`, `~/.ssh/id_rsa`). Upon finding these credentials, the script would Base64 encode them and exfiltrate the data via a DNS tunnel or a POST request to an attacker-controlled server. This attack targeted AI/ML developers specifically, aiming to compromise cloud infrastructure, private model repositories, and source code management systems. The incident underscores the critical need for dependency verification in AI development workflows.
Affected Systems
Testing Guide
1. Check your project's dependencies for `torch-optimizer` by running `pip freeze | grep torch-optimizer`. 2. If found, immediately treat the environment as compromised. 3. You can download the package's source distribution (`.tar.gz`) from PyPI without installing it. 4. Manually inspect the `setup.py` file for suspicious code, such as network requests, file system access to home directories, or use of `eval()`/`exec()` on obfuscated strings.
Mitigation Steps
1. **Audit Dependencies:** Use tools like `pip-audit` or `Snyk` to scan your project's dependencies for known malicious packages or vulnerabilities. 2. **Pin Dependencies:** Use a `requirements.txt` or `poetry.lock` file to pin exact, known-good versions of your dependencies to prevent accidental installation of malicious updates. 3. **Use Scoped, Ephemeral Credentials:** In CI/CD environments, use short-lived credentials with the minimum required permissions (e.g., via AWS IAM roles for service accounts or OIDC). 4. **Vet Packages:** Before installing a new package, check its download statistics, release history, and source repository on PyPI to look for signs of suspicious activity.
Patch Details
The malicious package was removed from PyPI by the security team. Users must manually find and uninstall the package from affected systems.