CRITICAL Patch AvailableCVE-2023-49080

Malicious PyPI Package 'torchtriton' Exfiltrates Sensitive Data from AI Development Environments

Discovered 20 May 2025 2 views

Overview

A sophisticated supply chain attack targeted AI/ML developers through a malicious package named 'torchtriton' uploaded to the Python Package Index (PyPI). This package typosquatted the legitimate NVIDIA library 'pytorch-triton'. Unsuspecting developers installing the package via `pip install torchtriton` would inadvertently execute a malicious `setup.py` script. The script was heavily obfuscated and contained functionality to fingerprint the victim's machine, search for sensitive files such as SSH keys, shell history, and configuration files (e.g., `~/.aws/credentials`, `~/.kube/config`). Upon finding these files, the malware would exfiltrate them to a remote command-and-control (C2) server controlled by the attackers. This vulnerability highlights the significant supply chain risks in the rapidly evolving AI ecosystem, where developers frequently install numerous open-source packages. The impact is critical, as it leads to the compromise of developer credentials, cloud infrastructure access keys, and proprietary source code, enabling attackers to conduct further espionage or deploy ransomware. The package was discovered by the security team at JFrog and promptly removed from PyPI.

Affected Systems

Python developers using PyPI

Testing Guide

1. **Check Installed Packages**: Run `pip freeze > installed_packages.txt` in your project's virtual environment. 2. **Search for Malicious Package**: Search the `installed_packages.txt` file for the exact name `torchtriton`. 3. **Review Logs**: If the package is found, immediately revoke all credentials on the affected machine and review network logs for suspicious outbound connections to unknown IP addresses.

Mitigation Steps

1. **Audit Dependencies**: Use tools like `pip-audit` or commercial equivalents to scan your project's dependencies for known vulnerabilities and malicious packages. 2. **Pin Dependencies**: Use a lock file (e.g., `requirements.txt` with hashed versions, `poetry.lock`) to ensure that you are installing specific, vetted versions of packages. 3. **Verify Package Names**: Double-check the spelling of package names before installation to avoid typosquatting. 4. **Use a Private Registry**: For enterprise environments, consider using a private package registry (e.g., Artifactory, Nexus) that vets and mirrors packages from public sources.

Patch Details

The malicious package 'torchtriton' and its subsequent versions were removed from the PyPI registry by the PyPA security team.

Sources

← Back to vulnerabilities