Malicious `torchtriton` Package on PyPI Exfiltrates Sensitive Developer Data
Overview
A malicious package named `torchtriton` was discovered on the Python Package Index (PyPI), typosquatting the legitimate `triton` package developed by OpenAI for GPU programming. This supply chain attack specifically targeted AI/ML developers who might mistakenly install the fraudulent package. Upon installation via `pip install torchtriton`, the package's `setup.py` script executed a malicious payload. This payload was designed to gather a wide range of sensitive information from the developer's machine, including environment variables, user secrets (from `~/.aws/`, `~/.ssh/`, `~/.gitconfig`), system information (`uname`), network configuration (`ifconfig`), Kubernetes configuration (`~/.kube/config`), and shell history. The collected data was then exfiltrated to a command-and-control server controlled by the attacker. This incident underscores the significant supply chain risks within the rapidly growing AI ecosystem, where developers frequently install numerous open-source packages from public repositories. The attacker leveraged the trust and fast-paced nature of AI development to compromise developer workstations, potentially gaining access to proprietary code, model weights, and cloud infrastructure credentials. The package was reported by security researchers and promptly removed by the PyPI security team after being active for several weeks.
Affected Systems
Testing Guide
1. On your development machine or in your CI environment, run the command `pip list | grep torchtriton`. 2. If the package is found, your system was compromised. 3. Review shell history and network logs around the time of installation for suspicious activity, particularly outbound connections to unknown IP addresses.
Mitigation Steps
1. Immediately run `pip uninstall torchtriton` and verify its removal. 2. Rotate all potentially compromised credentials, including AWS keys, SSH keys, and API tokens. 3. Audit developer workstations and CI/CD environments for signs of compromise or data exfiltration. 4. Enforce dependency best practices: use hash-checking with `requirements.txt` or `poetry.lock`, regularly scan dependencies with tools like `pip-audit`, and carefully vet package names before installation.
Patch Details
The malicious package `torchtriton` was removed from the PyPI registry. There is no 'patch' other than uninstalling the malicious package and securing potentially compromised systems.