PyPI Supply Chain Attack 'ML-Leaker' Steals Cloud Credentials from AI Developers
Overview
A sophisticated supply chain attack campaign, codenamed 'ML-Leaker', targeted AI and machine learning developers by publishing malicious packages to the Python Package Index (PyPI). The attackers used typosquatting, creating packages with names very similar to popular ML libraries, such as `scikit-learn-utils` instead of `sklearn-utils` or `torchvision-addons` instead of `torch-vision-addons`. The malicious packages contained a harmful `setup.py` file. Upon installation via `pip install`, the script would execute before the package installation itself. This setup script was heavily obfuscated and contained logic to scan the developer's machine for sensitive information. It specifically searched for common locations of AWS, Azure, and Google Cloud credentials, Kubernetes configuration files, SSH private keys, and environment variables containing API tokens (e.g., `OPENAI_API_KEY`, `HUGGING_FACE_HUB_TOKEN`). Once found, the stolen data was base64 encoded and exfiltrated via a DNS query or a covert HTTP POST request to an attacker-controlled server. The campaign was highly effective because the packages often bundled the real, legitimate library, so they would function as expected after installation, hiding the malicious activity from the developer.
Affected Systems
Testing Guide
1. Review your project's `requirements.txt` or `pyproject.toml` file for any unfamiliar or misspelled package names. 2. Use a security scanner to analyze your project's dependencies: `pip install pip-audit && pip-audit`. 3. Check the output for any high-severity vulnerability alerts or warnings about known malicious packages. 4. Manually inspect the installation logs (`pip install -v`) for any suspicious commands or network connections during the setup phase of a package installation.
Mitigation Steps
1. **Pin Dependencies:** Use a dependency management tool like Poetry or pip-tools to pin exact, known-good versions of your dependencies in a lock file (e.g., `poetry.lock`, `requirements.txt`). 2. **Vet Dependencies:** Before adding a new library, carefully check its name for typos, and inspect its download statistics, release history, and homepage on PyPI. 3. **Use Scanners:** Integrate automated security scanners like `pip-audit` or `Snyk` into your CI/CD pipeline to check for known malicious or vulnerable packages. 4. **Isolate Build Environments:** Perform `pip install` in ephemeral, network-restricted containers to prevent malicious setup scripts from accessing sensitive files on the host or CI/CD runner.
Patch Details
The malicious packages were identified and removed from PyPI by the Python security team. However, any system that installed them remains compromised.