Malicious PyPI Package 'torch-optimizer-utils' Steals Cloud and AI Service Credentials
Overview
A malicious package named `torch-optimizer-utils` was discovered on the Python Package Index (PyPI). The package was designed as a supply chain attack targeting AI and machine learning developers. It advertised itself as a collection of performance-enhancing utilities for PyTorch optimizers, but its `setup.py` file contained an obfuscated payload. Upon installation (`pip install torch-optimizer-utils`), the payload would execute. It was specifically programmed to scan the user's environment variables and common configuration file locations (e.g., `~/.aws/credentials`, `~/.gitconfig`) for sensitive credentials. The stolen secrets included OpenAI API keys, Hugging Face tokens, AWS and GCP credentials, and SSH private keys. The stolen data was then base64 encoded and exfiltrated via a series of DNS requests to an attacker-controlled domain, a stealthy technique designed to bypass common network firewalls. This incident highlighted the significant risk of supply chain attacks in the rapidly growing AI development ecosystem, where developers frequently install numerous third-party packages to accelerate their work. The impact for victims was critical, leading to compromised cloud infrastructure, theft of proprietary models, and fraudulent use of paid AI services.
Affected Systems
Testing Guide
1. **Check Installed Packages:** Run `pip list` in your project's environment. 2. **Identify Suspicious Packages:** Look for packages with names that are misspellings of popular libraries (typosquatting) or packages that you don't recognize. 3. **Search for the Malicious Package:** Specifically, check if `torch-optimizer-utils` is in the list. If it is, assume your environment and credentials have been compromised. 4. **Review `pip install` Logs:** If available, check shell history or CI/CD logs for installations of suspicious packages.
Mitigation Steps
1. **Vet Dependencies:** Use dependency analysis tools like `pip-audit` or commercial solutions (Snyk, Socket) to scan for known malicious or vulnerable packages before installation. 2. **Use Virtual Environments:** Always install packages in isolated Python virtual environments to prevent system-wide contamination. 3. **Review Package Code:** For less-known packages, manually inspect the `setup.py` and `__init__.py` files for suspicious code, such as network requests or file system access. 4. **Credential Management:** Store secrets in a dedicated secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) instead of environment variables or config files. Use short-lived credentials wherever possible.
Patch Details
The malicious package `torch-optimizer-utils` was removed from PyPI by the registry's security team on 2025-06-21.