CRITICAL Patch Available

Malicious `torchtriton` Package on PyPI Steals Sensitive Developer Credentials

Discovered 10 February 2025 19 views

Overview

A malicious software package named `torchtriton` was discovered on the Python Package Index (PyPI), representing a classic typosquatting supply chain attack. The package mimicked the legitimate `triton` library, a popular tool from OpenAI for GPU programming, to deceive AI/ML developers into installing it. Upon installation via `pip install torchtriton`, a malicious `setup.py` script was executed. This script contained heavily obfuscated code designed to harvest a wide range of sensitive information from the developer's machine. The malware systematically searched for and exfiltrated SSH keys, Kubernetes configuration files (`~/.kube/config`), shell history files, and credentials stored by gcloud, AWS, and other cloud SDKs. It also collected system information by reading `/etc/passwd` and `/etc/shadow`. All stolen data was Base64 encoded and transmitted to a remote command-and-control (C2) server. This incident underscores the significant risk of supply chain attacks in the rapidly evolving MLOps landscape, where developers frequently experiment with and install numerous open-source packages. The attack could lead to a full compromise of developer accounts, cloud infrastructure, and sensitive source code repositories.

Affected Systems

Python developer environmentsCI/CD build servers for ML projects

Testing Guide

1. **Check Installed Packages**: Run `pip list` in your Python environments and CI/CD runners. 2. **Search for Typos**: Carefully inspect the list for `torchtriton` or other misspelled package names (e.g., `djanga`, `numpu`). 3. **Review Installation Logs**: Check shell history and build logs for `pip install` commands that may have installed the malicious package. 4. **Network Monitoring**: Check for suspicious outbound network connections from developer workstations or build servers to unknown endpoints.

Mitigation Steps

1. **Dependency Pinning**: Use requirements files (`requirements.txt`) with fully pinned versions and hashes (`pip freeze > requirements.txt` and `pip install -r requirements.txt --require-hashes`). 2. **Verify Package Names**: Double-check the spelling of packages before installation. Use the official PyPI website to verify legitimate package names. 3. **Use Scanners**: Integrate dependency scanning tools like `pip-audit` or commercial solutions into your CI/CD pipeline to check for known malicious packages. 4. **Least Privilege Environments**: Develop and build in environments with minimal access to production secrets and credentials.

Patch Details

The malicious package was removed from the PyPI registry by the PyPI security team. Users must manually remove the package from their systems.

Sources

← Back to vulnerabilities