The PyTorch package maintainers have advised users to remove and download the most recent versions if they installed the library’s nightly releases between December 25, 2022, and December 30, 2022, after a dependency confusion cyberattack.
“PyTorch-nightly Linux packages installed via pip during that time installed a dependency, torchtriton, which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary,” said the PyTorch team in an alert.
An open-source Python-based machine learning framework called PyTorch was created by Meta Platforms and is comparable to Keras and TensorFlow. According to the PyTorch team, the malicious dependency was found on December 30 at 4:40 PM GMT. A valid dependency named torchtriton’s malware-infected copy was uploaded to the code repository of the Python Package Index (PyPI) as part of the supply chain attack.
As package managers like pip check public code registries like PyPI before private registries, this made it possible for the fraudulent module to be installed on users’ computers rather than the genuine version retrieved from the third-party index. The rogue version, on the other hand, is designed to access the following files as well as exfiltrate system data such as environment variables, the current working directory, and hostname:
- /etc/hosts
- $HOME/.ssh/*
- The first 1,000 files in $HOME/*
- /etc/passwd
- $HOME/.gitconfig
The site’s owner from which the stolen data was sent recently issued a statement claiming that all the data has since been erased and was done as part of an ethical research activity. Torchtriton has been replaced with PyTorch-triton as a dependency as mitigations. A dummy package was also registered on PyPI as a stand-in to stop future exploitation.
According to a note on the torchtriton PyPI page, this is not the genuine torchtriton package, which was instead posted here to find vulnerabilities related to dependency confusion. Visit https://download.pytorch[.]org/whl/nightly/torchtriton/ to get the genuine torchtriton. The development also occurred after JFrog revealed information on cookiezlog, another package that has been seen to use anti-debugging tactics to thwart analysis. This is the first instance of PyPI malware exploiting similar mechanisms.