Malicious PyPI Package `torch-utils` Steals SSH Keys and Cloud Credentials from AI Developers
Overview
A sophisticated supply chain attack was discovered targeting AI and machine learning developers through the Python Package Index (PyPI). A malicious package named `torch-utils`, which typosquatted the legitimate and popular `torch` library ecosystem, was uploaded to PyPI. The package's `setup.py` file contained obfuscated code that executed during the `pip install` process. This malicious installer script was multi-stage. First, it performed reconnaissance on the developer's machine, searching for sensitive directories and files, including `~/.ssh/`, `~/.aws/credentials`, and `~/.config/gcloud/`. Upon finding these files, it would archive them and exfiltrate the data to a remote command-and-control (C2) server via a DNS tunnel to evade network-based detection. The package's description and metadata were copied from a legitimate library to appear genuine, and it even included non-functional placeholder code to avoid immediate suspicion. This attack vector is particularly effective against AI developers who frequently experiment with new libraries and may accidentally misspell a package name. The theft of SSH keys and cloud credentials provides attackers with direct access to source code repositories, cloud infrastructure, and sensitive training data, leading to catastrophic security breaches.
Affected Systems
Testing Guide
1. **Review Installation Logs:** Check shell history and CI/CD logs for installation of misspelled package names like `torch-utils` instead of `torch` or `torchvision`. 2. **Check Installed Packages:** Run `pip list` in your virtual environments and look for suspicious or unfamiliar packages. 3. **Monitor Network Traffic:** During package installation in a controlled environment, monitor outbound network traffic for unexpected connections, especially DNS queries to unusual domains.
Mitigation Steps
1. **Use Pinned Dependencies:** Use `requirements.txt` or `pyproject.toml` files with hashed dependencies (`pip-tools`, `poetry`) to ensure you are installing exactly the package you expect. 2. **Vet Dependencies:** Before installing a new package, check its download statistics, release history, and metadata on PyPI for signs of being a new or suspicious imposter. 3. **Use a Private Registry:** For enterprise environments, use a private package registry (e.g., Nexus, Artifactory) that vets and proxies packages from public repositories. 4. **Restrict Permissions:** Run `pip install` with the least privilege necessary. In CI/CD pipelines, use ephemeral environments and short-lived credentials to minimize the impact of a compromised build step. 5. **Scan for Malware:** Use security tools like `pip-audit` or Snyk to scan your dependencies for known malicious packages.
Patch Details
The malicious package `torch-utils` was removed from the PyPI repository by the PyPI security team.