Malicious PyPI Package 'torchtriton' Exfiltrates Sensitive Developer Data
Overview
A sophisticated supply chain attack targeted AI/ML developers through a malicious package uploaded to the Python Package Index (PyPI). The package, named 'torchtriton', typosquatted the legitimate 'triton' package, a popular library from OpenAI for writing custom GPU kernels, which is often used with PyTorch. Developers attempting to install 'triton' could easily mistype the name and install the malicious version instead. Upon installation, the package's `setup.py` script executed a malicious payload. This payload was designed to gather a wide range of sensitive information from the developer's machine, including environment variables, Kubernetes configuration files, SSH keys, shell command history, and user profile data such as `/etc/passwd` and `/etc/hosts`. The exfiltrated data was then encoded and sent to a command-and-control (C2) server controlled by the attackers. This incident represents a significant threat to organizations developing AI, as the compromised credentials and configurations could be used to gain unauthorized access to cloud infrastructure, source code repositories, and sensitive training data. The discovery was made by automated security scanners monitoring PyPI, which flagged the package for suspicious behavior shortly after its publication. The package was promptly removed from PyPI, but any developer who had installed it during its availability was considered compromised.
Affected Systems
Testing Guide
1. **Check Installed Packages:** Run `pip list | grep torchtriton` in your development environment to see if the malicious package is installed. 2. **Review Shell History:** Check your shell history (`history | grep 'pip install'`) for commands that may have installed the package. 3. **Scan Network Logs:** Analyze network traffic logs from developer machines for connections to suspicious domains or IPs, especially around the time of package installations.
Mitigation Steps
1. **Audit Dependencies:** Regularly audit your project's `requirements.txt` and `pyproject.toml` files for typos or suspicious package names. 2. **Use Lockfiles:** Use `pip-tools` or `poetry` to generate and enforce lockfiles (`requirements.txt`, `poetry.lock`) to prevent an unexpected package from being installed. 3. **Vet Packages:** Before installing a new package, verify its authenticity on PyPI by checking its author, download statistics, and release history. 4. **Restrict Permissions:** Run development and CI/CD environments with the least privilege necessary to limit the potential impact of a compromised dependency.
Patch Details
The malicious package was removed from the PyPI repository. No patch is available; systems must be cleaned manually.