Malicious PyPI Package 'torchtriton' Exfiltrates Sensitive Data from AI/ML Developer Machines
Overview
A sophisticated supply chain attack targeted the AI/ML community through a malicious package uploaded to the Python Package Index (PyPI). The package, named 'torchtriton', was a typosquat of the legitimate 'nvidia-triton' package, designed to trick developers into installing it. Upon installation via `pip install`, a malicious `setup.py` script was executed. This script performed reconnaissance on the host machine, searching for and exfiltrating sensitive data, including environment variables, Kubernetes configuration files (`~/.kube/config`), SSH private keys, and shell history. The stolen data was then uploaded to a remote command-and-control server via an obfuscated network request. This incident underscores the vulnerability of the AI development ecosystem to supply chain attacks, as developers frequently install numerous open-source packages to build complex models, and a single malicious dependency can compromise an entire organization's cloud infrastructure and source code.
Affected Systems
Testing Guide
1. Check your installed Python packages for 'torchtriton' by running `pip freeze | grep torchtriton`. 2. If the package is found, consider the machine compromised. 3. Search system and build logs for network connections to suspicious domains shortly after the package was installed. 4. Review local files (`~/.bash_history`, `~/.zsh_history`, `~/.ssh/`, `~/.kube/config`) for unusual access times corresponding to the installation date.
Mitigation Steps
1. **Remove the Package:** Immediately run `pip uninstall torchtriton` on all potentially affected systems. 2. **Audit Dependencies:** Carefully review all `requirements.txt` and `pyproject.toml` files for typosquatted or suspicious packages. Use tools like `pip-audit` to scan for known vulnerabilities. 3. **Rotate Credentials:** Rotate all credentials found on affected machines, including SSH keys, API keys (AWS, GCP, etc.), and any secrets stored in shell history or environment variables. 4. **Use Pinned Hashes:** Pin dependency versions and use hash-checking mode in `pip` (`pip install -r requirements.txt --require-hashes`) to ensure the integrity of downloaded packages.
Patch Details
The malicious package was removed from the PyPI repository by the PyPI security team. Users must manually uninstall the package and perform credential rotation.