PyPI Supply Chain Attack via Typosquatted 'torchtriton' Package Exfiltrates Sensitive Data
Overview
A critical supply chain attack was discovered targeting AI/ML developers through a malicious package named `torchtriton` published on the Python Package Index (PyPI). This package typosquatted the legitimate `triton` library developed by OpenAI, which is a popular tool for writing efficient GPU code. Developers accidentally installing `torchtriton` instead of `triton` would unknowingly execute malicious code contained within the package's `setup.py` file. Upon installation, the malware would execute a payload that collected a wide range of sensitive information from the developer's machine. This included environment variables (often containing API keys and cloud credentials), Kubernetes configuration files, SSH keys, user profiles, and shell history. The stolen data was then base64 encoded and exfiltrated to a command-and-control (C2) server controlled by the attacker. This incident underscores the significant supply chain risks in the AI ecosystem, where developers frequently rely on a vast web of open-source dependencies. A single typo in a `pip install` command could lead to a complete compromise of a developer's workstation and potentially provide a foothold into sensitive corporate development and production environments.
Affected Systems
Testing Guide
1. **Check Pip History:** Review your shell history and pip logs for commands like `pip install torchtriton`. 2. **Scan Installed Packages:** Run `pip list` in your virtual environments and look for `torchtriton` or other similarly misspelled packages. 3. **Examine Network Logs:** Analyze network traffic logs from developer machines for suspicious DNS lookups or HTTP requests to unknown domains shortly after a package installation. 4. **Check for Compromise Indicators:** Look for unexpected files in home directories, unusual running processes, or modified shell configuration files.
Mitigation Steps
1. **Verify Package Names:** Always double-check package names before installation. Use the official PyPI website to confirm the correct spelling and author of a package. 2. **Use Pinned Dependencies:** Use `requirements.txt` or `pyproject.toml` files with pinned, hashed versions of dependencies (e.g., via `pip-tools`) to prevent accidental installation of malicious packages. 3. **Audit Installed Packages:** Regularly audit development and production environments for suspicious packages using tools like `pip-audit` or commercial software composition analysis (SCA) tools. 4. **Restrict Egress Traffic:** Implement network egress filtering on developer workstations and CI/CD runners to block connections to unknown or unauthorized C2 servers.
Patch Details
The malicious `torchtriton` package was removed from PyPI by the security team upon discovery.