If you are a Python developer and someone who is used to installing the latest preview build of libraries, you may want to take immediate mitigating action. PyTorch, an open source machine learning framework initially developed by Meta and now under the Linux Foundation, was allegedly the target of a supply chain attack, which led to many users installing a malicious package.
Basically, PyTorch-nightly leverages a dependency called “torchtriton”. While the directory hosted in PyTorch’s nightly package index is not at all malicious, a problematic package of the same name was uploaded to the Python Package Index (PyPI) repository over the holidays.
When Python developers install libraries, they usually use the “pip” command in the terminal. However, this prioritizes the PyPI repository, which means that instead of installing torchtriton from PyTorch, the malicious binary from PyPI was installed on user computers.
Fortunately, the apparent dependency confusion attack did not affect the Python development community as a whole. This is because it only affects PyTorch-nightly users who installed the package on Linux between December 25th and December 30th. Users of stability packages are not affected.
Following the discovery of the malicious torchtriton package, the PyTorch development team issued a full disclosure, renamed the torchtriton package to “pytorch-torchtriton” and registered it as a dummy package in PyPI to prevent similar attacks in the future. Any nightly package using the older name has been removed for now and the team has also reached out to PyPI to take ownership of the “torchtriton” name and delete the malicious version.
An investigation by PyTorch determined that the torchtriton malicious package sent system data from a user’s computer to a final domain, as described below:
Get information about the system
- Nameservers from /etc/resolv.conf
- hostname from gethostname()
- current username from getlogin()
- The name of the current working directory from getcwd()
- Environment Variables
Read the following files
- The first 1,000 files in $HOME/*
- Upload all this information, including the file contents, using encrypted DNS queries to the *.h4ck domain[.]cfd, using the wheezy DNS server[.]io
In a statement to Bleeping Computer, the owners of the torchtriton malicious package and the domain to which user data was sent defended their actions as ethical research. They emphasized that:
Hi, I’m the one who claimed torchtriton package on PyPi. Note that this is not meant to be malicious!
I realize I could have done a better job of not sending all the user data. The reason I sent more metadata is that in the past when investigating dependency confusion issues, in many cases the victims could not be identified by their hostname, username, and CWD. That’s why this time I decided to send more data, but in hindsight it was a wrong decision and I should have been more careful.
I accept the blame for that and apologize. At the same time I want to assure that it was not my intention to steal anyone’s secrets. I reported this vulnerability to Facebook as early as December 29th (almost three days before the announcement) after verifying that the vulnerability did exist. I have also reported to other companies affected by their HackerOne programs. If my intentions were malicious, I would never fill out bug bounty reports, and would simply sell the data to the highest bidder.
I apologize again for causing the disturbances, I promise that all the data I received has been deleted.
By the way, in my bug report to Facebook I already offered to transfer the PyPi package to them, but so far I have not received any answers from them.
Developers who installed PyTorch Nightly between December 25th and December 30th last year should double check their systems and run the following commands using pip:
$ pip3 uninstall -y torch torchvision torchaudio torchtriton
$ pip3 cache purge
Similarly, it is also recommended to switch to the PyTorch stable for now or update to a nightly package released after December 30th.