Developers who installed the nightly builds of PyTorch between December 25 and December 30, 2022, are recommended to uninstall it and purge their pip cache to get rid of a malicious package, say PyTorch maintainers. The new attack highlights a recent trend.
The supply chain attack originated from a malicious dependency that was pushed to PyPi with the same name as the one that is shipped with PyTorch nightly.
Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default.
The malicious package, named torchtriton, includes a binary that besides exfiltrating system information such as hostname, DNS configuration, user name, and shell environment, also uploads the content of /etc/hosts, /etc/passwords, ~/.gitconfig, ~/.ssh/*, and the first 1,000 files found in the user's home directory to an external server. Information is exfiltrated only when the user explicitly imports the triton package into their program, though, which reduces the attack's impact.
The scheme of this supply chain attack, known as dependency confusion, is not novel. In conversation with InfoQ, Endor Labs security researcher Henrik Plate explained the attack "is consistent with the type of next-gen attacks we’ve seen over the past two years", where attackers focus on manipulating maintainers and users instead of trying to exploit vulnerabilities.
After the official disclosure, the alleged maintainer of torchtriton claimed on their website that the package was not intended to be malicious, Ax Sharma first reported on Twitter. Analyzing the attack for Bleeping Computer, though, Sharma also unveiled that torchtriton uses anti-VM techniques as well as obfuscation to evade detection.
This won't be the first time either when a hacker claims that their actions constitute ethical research, just as they are caught exfiltrating secrets.
According to Plate, dependency confusion attacks can be addressed using private repositories to both host internal packages and mirror external packages. One such solution for the Python ecosystem is devpi, but it is not trivial.
Typically, such solutions allow more control about dependency resolution and package download processes. However, their setup and operation requires non-negligible effort, and they are only effective if local developer clients are properly configured.
PyTorch maintainers immediately took action to remove torchtriton as a dependency and replace it with pytorch-triton along with a dummy package registered on PyPi to ensure the attach doesn't repeat.