Poisoned PyPI Package 'torch-utils' Steals Cloud and AI Service Credentials
Overview
A malicious package named `torch-utils` was discovered on the Python Package Index (PyPI), representing a sophisticated supply chain attack targeting AI and ML developers. The package was designed as a typosquatting attack, misleading developers who intended to install legitimate PyTorch utility libraries. Upon installation via `pip install torch-utils`, the package's malicious `setup.py` script was executed. This script contained obfuscated code that performed several malicious actions. First, it scanned the system's environment variables for sensitive API keys, specifically targeting `OPENAI_API_KEY`, `HUGGING_FACE_HUB_TOKEN`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. Second, it searched for common configuration file locations, such as `~/.aws/credentials` and `~/.git-credentials`, to harvest additional secrets. Finally, it base64-encoded the collected credentials and exfiltrated them via a DNS request to an attacker-controlled domain, a stealthy technique designed to bypass common network firewalls that often permit DNS traffic. This incident highlights the significant risk of supply chain attacks in the rapidly growing AI ecosystem, where developers frequently install numerous open-source packages. The ease of publishing to PyPI and the reliance on community-provided code create a fertile ground for attackers to distribute malware.
Affected Systems
Testing Guide
1. **Check Installed Packages:** Run `pip list` in your project's virtual environment and carefully inspect the list for any packages with names similar to popular libraries but slightly altered (typosquatting). 2. **Search for 'torch-utils':** Specifically, run `pip show torch-utils` to see if the malicious package is installed. 3. **Review Network Logs:** Analyze DNS logs from development machines or CI/CD runners for unusual queries to unknown domains, which could indicate data exfiltration.
Mitigation Steps
1. **Audit Dependencies:** Regularly audit your project's dependencies (`requirements.txt`, `pyproject.toml`) for any suspicious or misspelled packages. Use tools like `pip-audit` or Snyk to automate this process. 2. **Pin Versions:** Pin the versions of all dependencies in your project to specific, known-good versions to prevent the automatic installation of a newly published malicious version. 3. **Use a Private Registry:** For enterprise environments, consider hosting a private package registry that mirrors a vetted subset of packages from the public PyPI. 4. **Restrict Permissions:** Run development and CI/CD environments with the minimum necessary permissions. Avoid storing production secrets in environment variables or configuration files accessible in these environments; use a dedicated secrets manager instead.
Patch Details
The malicious package 'torch-utils' was removed from the PyPI registry by the PyPI security team.