Malicious PyPI Package 'torchfusion' Steals Cloud Credentials from AI Developers
Overview
A sophisticated supply chain attack was identified on the Python Package Index (PyPI) involving a malicious package named `torchfusion`. The package was a typosquat of `torch-fusion`, a non-existent but plausible-sounding name, designed to attract AI/ML developers. The package's `setup.py` file contained an obfuscated payload that executed upon installation via `pip install torchfusion`. This payload was specifically designed to scour the developer's machine for sensitive credentials related to AI development and deployment. It searched for common environment variable names (`AWS_ACCESS_KEY_ID`, `OPENAI_API_KEY`, `HF_TOKEN`), configuration files (`~/.aws/credentials`, `~/.kube/config`), and SSH private keys. Upon finding these credentials, it would exfiltrate them to a hardcoded command-and-control (C2) server using a DNS-over-HTTPS (DoH) channel to evade simple network firewalls. This attack highlights the increasing targeting of AI developers, whose environments are rich with high-value credentials for powerful cloud computing and API services. The incident forced a renewed focus on dependency hygiene and the use of package signing and verification within the AI community.
Affected Systems
Testing Guide
1. **Check Installed Packages**: Run `pip list` in your environment and check for any suspicious or unrecognized packages. Specifically look for `torchfusion`. 2. **Audit Dependencies**: Run `pip-audit` on your project's `requirements.txt` file. 3. **Review Installation Logs**: If you have logs from your CI/CD pipelines or local builds, review them for installations of unknown packages. 4. **Network Monitoring**: In a test environment, monitor outbound network traffic immediately after installing a suspicious package to check for unexpected connections.
Mitigation Steps
1. **Verify Package Names**: Always double-check package names for typos before installation. Use the official PyPI website to confirm the correct name. 2. **Use Dependency Scanning**: Integrate tools like `pip-audit`, Snyk, or Dependabot into your development and CI/CD workflows to scan for known malicious or vulnerable packages. 3. **Lock Dependencies**: Use a lock file (e.g., `requirements.txt` with hashed versions, or `poetry.lock`) to ensure you are installing exact, verified versions of your dependencies. 4. **Isolated Environments**: Perform experimental package installations in isolated, network-restricted virtual environments or containers to limit potential damage.
Patch Details
The malicious package 'torchfusion' was removed from the PyPI registry by the PyPI security team.