PyTorch admins warn of malicious 'torchtriton' dependency

Ruined Christmas for thousands of devs

Package maintainers for open source framework PyTorch have said a malicious dependency imitating one of its own was available on a prominent code repository during the holiday season.

The dependency confusion attack included submitting a malicious version of the torchtriton dependency to the Python Package Index (PyPI), an online package repository for Python developers.

The malicious package shared a name with torchtriton but included code that would upload sensitive data from a victim's machine.

Similar to Keras, TensorFlow, and Jax, PyTorch is an open-source Python-based framework that developers can use for machine learning applications like computer vision and natural language processing. It's based on the Torch library and was created by Meta AI, although the Linux Foundation manages it today.

'At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch-nightly package index,' PyTorch admins said.

'Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third-party index, and pip will install their version by default.'

The tainted dependency looks for information that can be used to identify victims, such as usernames, IP addresses and current working directories. It can also obtain sensitive information like environment variables and current usernames, and read the following files:

• /etc/passwd
• /etc/hosts
• The first 1,000 files in $HOME/*
• $HOME/.ssh/*
• $HOME/.gitconfig

Once the data is collected, the malware uses encrypted DNS queries to exfiltrate the data and file contents to the *.h4ck[.]cfd domain.

According to statistics from 1st January more 2,300 developers had downloaded the malicious package in the previous week, potentially putting their projects and personal data at risk.

PyTorch's maintainers are urging users who installed PyTorch-nightly on Linux through pip between the 25th and 30th December to immediately uninstall both PyTorch-nightly and torchtriton. They should instead download the most recent nightly binaries released after 30th December.

PyTorch admins have removed torchtriton as a dependency for the nightly packages and replaced it with pytorch-triton. They have also registered a dummy package on PyPI to prevent similar attacks in future.

'This is not the real torchtriton package but uploaded here to discover dependency confusion vulnerabilities,' the PyPI page for torchtriton now reads.

"You can get the real torchtriton from https://download.pytorch[.]org/whl/nightly/torchtriton/."