Malicious PyPI Package 'torchtriton' Steals Developer Credentials and SSH Keys
Overview
A sophisticated supply chain attack targeted AI/ML developers through a malicious package named `torchtriton` published on the Python Package Index (PyPI). The package typosquatted the legitimate `triton` library, a popular compiler and dependency for PyTorch used for writing efficient GPU code. Developers, believing they were installing a necessary component for their ML projects, would install the malicious package via `pip install torchtriton`. The package's `setup.py` file contained an obfuscated payload that executed upon installation. This payload would scan the host system's filesystem for sensitive information, specifically targeting SSH keys (`~/.ssh/`), cloud credentials (`~/.aws/credentials`, `~/.gcp/`, `~/.azure/`), shell history (`.bash_history`, `.zsh_history`), and Kubernetes configuration files. It then exfiltrated this data by encoding it and sending it via multiple HTTP POST requests to an attacker-controlled server. The impact is severe, leading to the complete compromise of developer machines, unauthorized access to cloud infrastructure, theft of intellectual property from private code repositories, and potential lateral movement into corporate networks. This incident highlights the significant supply chain risk for the AI ecosystem, which relies heavily on a vast web of open-source dependencies.
Affected Systems
Testing Guide
1. Check your project's dependency list and your global pip environment for the package `torchtriton`. ```bash pip list | grep torchtriton ``` 2. If the package is found, assume the system and all associated credentials are compromised. Immediately rotate all SSH keys, API keys, and cloud credentials found on the machine. 3. Analyze network logs from the time of installation for suspicious outbound connections to unknown domains.
Mitigation Steps
1. **Pin Dependencies**: Use a dependency management tool (like Poetry or pip-tools) to pin exact, known-good versions of packages in a lock file (`poetry.lock`, `requirements.txt`). 2. **Audit Dependencies**: Regularly scan dependencies for known vulnerabilities and suspicious packages using tools like `pip-audit` or commercial equivalents. 3. **Use a Private Proxy**: Route PyPI requests through a corporate proxy that can cache and vet packages, blocking known malicious or typosquatted names. 4. **Isolated Build Environments**: Perform package installations and builds in ephemeral, network-restricted containers to limit the potential impact of a malicious package.
Patch Details
The malicious package was removed from PyPI by the registry's security team on 2025-09-09.