CRITICAL Patch AvailableCVE-2023-49086

Malicious PyPI Package 'torchtriton' Steals Sensitive Credentials from AI Developers

Discovered 18 February 2025 0 views

Overview

A malicious package named `torchtriton` was discovered on the Python Package Index (PyPI), targeting AI and machine learning developers who use the PyTorch ecosystem. The package was a typosquat of the legitimate `triton` library developed by OpenAI, often used for writing high-performance CUDA kernels. The malicious `torchtriton` package contained a sophisticated payload within its `setup.py` file. Upon installation via `pip`, the script executed a multi-stage attack. It first fingerprinted the host system and then proceeded to exfiltrate a wide range of sensitive data, including environment variables, Kubernetes configuration files (`~/.kube/config`), SSH keys (`~/.ssh/`), and secrets from common developer tools. The stolen data was encoded and sent to a command-and-control (C2) server controlled by the attacker. This type of supply chain attack is particularly dangerous in the AI/ML space, as developers often have privileged access to cloud environments (AWS, GCP, Azure), GPU clusters, and proprietary datasets and models. The discovery was made by security researchers who monitor PyPI for suspicious package uploads.

Affected Systems

Python environments where `torchtriton` was installed via pip

Testing Guide

1. In your project's virtual environment or global package list, run `pip list | grep torchtriton`. 2. If the package is present, your system is affected. 3. Review shell history (`history | grep 'pip install torchtriton'`) to identify when the package may have been installed. 4. Check network logs for any suspicious outbound connections to unknown endpoints around the time of installation.

Mitigation Steps

1. **Audit Dependencies:** Immediately check project dependencies and developer environments for the presence of the `torchtriton` package. Use tools like `pip-audit` to scan for known vulnerabilities. 2. **Remove the Package:** If found, uninstall the package (`pip uninstall torchtriton`) and assume all credentials on the affected machine have been compromised. 3. **Rotate Credentials:** Rotate all potentially exposed secrets, including SSH keys, API keys, cloud credentials, and Kubernetes configurations. 4. **Use Private Repositories:** For production systems, use a private package repository (e.g., Artifactory, Nexus) that vets and mirrors packages from PyPI to reduce exposure to newly published malicious packages.

Patch Details

The malicious package was removed from the PyPI registry by the PyPI security team.

Sources

← Back to vulnerabilities