Malicious `torchtriton` Package on PyPI Steals Sensitive Data from AI/ML Systems
Overview
A sophisticated supply chain attack targeted AI/ML developers through a malicious package named `torchtriton` uploaded to the Python Package Index (PyPI). This package was a typosquat of the legitimate `pytorch-triton` library, a popular dependency for optimizing deep learning models on NVIDIA GPUs. The malicious package's `setup.py` file contained an obfuscated payload that executed upon installation (`pip install torchtriton`). The payload was designed for widespread data exfiltration. It would scan the user's home directory for sensitive information, including SSH keys (`~/.ssh/`), shell history files (`.bash_history`, `.zsh_history`), Kubernetes configuration (`~/.kube/config`), and environment variable files. Furthermore, it harvested system information by reading `/etc/passwd` and `/etc/shadow` to gather user account details. All collected data was base64 encoded and exfiltrated to a command-and-control (C2) server controlled by the attacker. This incident was critical because it targeted developers working in high-value environments, potentially giving attackers access to cloud credentials, private code repositories, and production ML infrastructure. The attack highlighted the significant risk of typosquatting in the rapidly evolving AI/ML open-source ecosystem, where developers frequently install new and experimental packages.
Affected Systems
Testing Guide
1. **Check Installation History**: Review your shell history for `pip install torchtriton`. 2. **List Installed Packages**: Run `pip list` in your Python environments and look for `torchtriton`. The legitimate package is `pytorch-triton`. 3. **Inspect Network Logs**: If you suspect an infection, analyze DNS and network traffic logs for connections to unknown or suspicious endpoints originating from Python processes around the time of installation. 4. **Scan for IOCs**: Check for the presence of the malicious package files in your `site-packages` directory and look for the specific exfiltration logic described in security advisories.
Mitigation Steps
1. **Verify Package Names**: Always double-check package names against official documentation before installation. Use `pip search` or browse the official project repository. 2. **Use Pinned Dependencies**: Use a `requirements.txt` or `pyproject.toml` file with pinned, hashed versions of dependencies to ensure reproducible and verified builds. 3. **Audit Installed Packages**: Regularly audit your environment's installed packages using tools like `pip-audit` or `safety` to check for known malicious packages or vulnerabilities. 4. **Isolated Environments**: Perform experimental package installations in isolated, network-restricted environments (e.g., Docker containers) to limit the potential blast radius of a malicious package.
Patch Details
The malicious package was removed from PyPI by the registry's security team. There is no 'patch' other than uninstalling the malicious package (`pip uninstall torchtriton`) and rotating any compromised credentials.