Malicious PyPI Package 'torchtriton' Exfiltrates Sensitive Data from AI Developer Environments
Overview
A malicious package named `torchtriton` was discovered on the Python Package Index (PyPI), targeting AI/ML developers through typosquatting. The package mimics the legitimate `nvidia-triton` library, tricking users into installing it via `pip install torchtriton`. Upon installation, the package's `setup.py` script executes a malicious payload. This payload is designed to harvest sensitive information from the developer's machine, including environment variables (often containing `AWS_SECRET_ACCESS_KEY`, `OPENAI_API_KEY`), Kubernetes configuration files (`~/.kube/config`), SSH keys (`~/.ssh/`), and shell history files. The harvested data is then base64 encoded and exfiltrated to an attacker-controlled server via a DNS request, a stealthy technique to bypass egress firewalls. This supply chain attack poses a significant risk to organizations, as a single compromised developer machine can lead to the loss of proprietary models, training data, and unauthorized access to cloud and MLOps infrastructure. The incident highlights the growing threat of targeted supply chain attacks against the rapidly expanding AI developer ecosystem.
Affected Systems
Testing Guide
1. Check your project's dependencies for the package `torchtriton`. Run `pip list | grep torchtriton`. 2. Review your shell history for installation commands like `pip install torchtriton`. 3. If the package was installed, assume compromise. Immediately revoke all credentials found in your environment variables, Kubernetes config, and SSH directory. Rotate API keys and secrets. 4. Check DNS logs for suspicious queries to unusual domains, as this is the exfiltration method used by the malware.
Mitigation Steps
1. **Verify Package Names:** Always double-check the spelling of package names before installation. Use the official PyPI website to confirm the correct name. 2. **Use Pinned Dependencies:** Use a `requirements.txt` or `pyproject.toml` file with pinned, hashed versions of dependencies to ensure reproducibility and prevent accidental installation of malicious packages. 3. **Audit Dependencies:** Regularly scan project dependencies for known vulnerabilities and suspicious packages using tools like `pip-audit` or commercial Software Composition Analysis (SCA) solutions. 4. **Restrict Permissions in CI/CD:** Run CI/CD pipelines with the minimum necessary permissions and secrets. Use short-lived credentials where possible.
Patch Details
The malicious package was removed from PyPI by the security team after it was reported.