Malicious `torchtriton` PyPI Package Steals Credentials from AI Developers
Overview
A sophisticated supply chain attack targeted the AI/ML developer community through a malicious package uploaded to the Python Package Index (PyPI). The package, named `torchtriton`, typosquatted the legitimate `triton` package, a popular library from OpenAI for writing efficient GPU code. The malicious package's `setup.py` file contained an obfuscated payload that executed upon installation via `pip install torchtriton`. The payload was designed to be a comprehensive information stealer, harvesting sensitive data from the developer's machine. It systematically searched for and exfiltrated SSH keys, shell history (to find passwords or commands with embedded secrets), environment variables containing API keys (OpenAI, AWS, GCP, etc.), and Kubernetes configuration files. The stolen data was then base64 encoded and transmitted over DNS or HTTP to a command-and-control (C2) server. This attack is particularly insidious because it leverages the trust developers place in the open-source ecosystem and the common mistake of misspelling a package name. The discovery was made by security firm Phylum after their automated analysis platform flagged the package for suspicious behavior, including network access and filesystem enumeration during installation.
Affected Systems
Testing Guide
1. **Check Installed Packages:** Run `pip list` or `pip freeze` in your Python environments and check for the package named `torchtriton`. 2. **Review Dependency Files:** Manually inspect `requirements.txt` and other dependency files for this package name. 3. **Check Logs:** Review shell history (`history`) and system logs for signs of `pip install torchtriton`. If found, assume compromise and begin rotating all credentials.
Mitigation Steps
1. **Dependency Verification:** Always double-check package names for typos before installation. Use the official documentation or PyPI page to confirm the correct name. 2. **Dependency Scanning:** Integrate automated security scanning tools like `pip-audit` or commercial solutions (e.g., Snyk, Phylum) into your CI/CD pipeline to detect malicious or vulnerable packages. 3. **Use Lockfiles:** Use deterministic dependency management with files like `poetry.lock` or `pip-tools` output to ensure that the same, vetted versions of packages are used across all environments. 4. **Restrict Permissions:** Run build processes in isolated, ephemeral environments with minimal permissions and no access to long-lived secrets.
Patch Details
The malicious package 'torchtriton' was removed from the PyPI registry. Mitigation requires users to manually uninstall the package and rotate any potentially compromised credentials.