Malicious PyPI Package `torch-optimizer` Steals Cloud Credentials from AI Developer Environments
Overview
A sophisticated supply chain attack was identified involving a malicious package named `torch-optimizer` published to the Python Package Index (PyPI). The package, typosquatting the legitimate `torch-optimizer` library, contained a malicious payload concealed within its `setup.py` file. Upon installation via `pip install torch-optimizer`, the script would execute silently in the background. Its primary function was to scan the developer's home directory for sensitive information commonly found in AI/ML development environments. Specifically, it searched for AWS credentials (`~/.aws/credentials`), GCP and Azure configuration files, SSH private keys (`~/.ssh/id_rsa`), and Kubernetes configuration files (`~/.kube/config`). If found, these files were compressed and exfiltrated via a DNS tunnel to an attacker-controlled server. This attack vector is particularly dangerous as AI developers often have programmatic access to sensitive datasets, GPU clusters, and production cloud infrastructure. The discovery was made by a security firm's automated monitoring system which flagged the package for its unusual network activity and file system access patterns upon installation in a sandbox.
Affected Systems
Testing Guide
1. Review your project's dependencies for the package `torch-optimizer` (note the hyphen). 2. Run `pip freeze | grep torch-optimizer` in your virtual environment to check if it's installed. 3. If found, immediately revoke any credentials stored on the machine and remove the package with `pip uninstall torch-optimizer`. 4. Scan your system for signs of data exfiltration, such as unusual DNS queries.
Mitigation Steps
1. **Vet Dependencies**: Carefully check the spelling and authenticity of package names before installation. 2. **Use Lockfiles**: Pin dependency versions using `requirements.txt` or `poetry.lock` to prevent unexpected package updates. 3. **Dependency Scanning**: Integrate automated dependency scanning tools like Snyk, Dependabot, or Grype into your CI/CD pipeline to check for known malicious packages. 4. **Use a Private Registry**: For sensitive projects, consider hosting a curated, private package registry. 5. **Principle of Least Privilege**: Avoid storing long-lived, high-privilege credentials on developer machines. Use temporary credentials where possible.
Patch Details
The malicious package `torch-optimizer` was removed from the PyPI registry on 2025-05-21 after being reported by security researchers.