PyTorch discloses malicious dependency chain compromise over holidays

PyTorch identified a malicious dependency that has the same name and library ‘torchtriton. The dependency confusion attack vector was used to compromise the attacker.

PyTorch administrators are warning those who have installed PyTorch nightly during the holiday season to remove the dependency and uninstall the fake ‘torchtriton” framework.

The open-source machine learning platform PyTorch, which covers everything from computer vision to natural speech processing, has been a hit in academic and commercial circles.

PyTorch-nightly user targeted by malicious library

PyTorch’s team warned that users installing PyTorch-nightly between December 25th-20th 2022 should make sure their systems are not compromised.

This warning is due to a Python Package Index (PyPI), third-party software repository, that was discovered over holidays.

PyTorch advises that you remove it immediately and torchtriton as soon as possible and to use the most recent nightly binaries (e.g., older than Dec 30th 2022)

PyPI’s malicious “torchtriton” dependency has the same name as the official library that is available in the PyTorch Nightly’s repo. PyPI takes priority when fetching Python dependencies, so the malicious package will be pulled from your machine and not PyTorch’s original one.

This malicious package was installed because the . In a , the PyTorch team explains that this design allows someone to register a package with the same name and Pip will automatically install it.

BleepingComputer noticed that the malicious “torchtriton” dependency had 2,300 downloadeds over the previous week.

This kind of attack on supply chains is called “dependency confusion” and was first reported in 2021 by BleepingComputer. The attack vector was also popularized by .

PyTorch claims that users of PyTorch stable programs are not affected by the issue.

Hacker takes sensitive files and claims to be doing ethical research

The malicious “torchtriton” not only surveys your system to find basic fingerprinting information (like IP address and current working directory), but it also steals sensitive data.

• System information
  • Nameservers starting and /etc/resolv.conf
  • hostname()
  • Current username from Getlogin()
  • Current working directory name from Getcwd()
  • Environment variables
    
• The following files can be read
  • /etc/hosts
  • /etc/passwd
  • First 1,000 files from $HOME/*
  • $HOME/.gitconfig
  • $HOME/.ssh/*

The file content is then uploaded to the domain h4ck.cfd via encrypted DNS queries through the wheezy.io DNS service.

PyTorch explained that the malicious binary ‘triton’ in the fake ‘torchtriton ‘is only executed by the user when they import the ‘triton’ package into their build. PyTorch does not default to this behavior. This code would need explicit authorization.

The notice that the entire operation is ethical research. However, the analysis strongly suggests otherwise.

If you found this message in your logs it is most likely that your Python configuration was not correct and made your system vulnerable to dependency confusion attacks. The script will send me the metadata (hostname, current directory and working directory) about each host to help identify vulnerable companies. Once I have identified the vulnerable company and reported it, all metadata regarding your server will be removed.

Contrary to what the notice says, the binary does not collect “metadata” but also steals your SSH keys. These secrets include your gitconfig and hosts files. The contents of your first 1000 files within your HOME directory.

BleepingComputer has obtained a copy it shows a good reputation as of this writing. Don’t let this fool you.

We found that ‘torchtriton,’ unlike other PoC exploits and research packages, uses known anti-VM techniques in order to evade detection. The malicious payload, which is contained in binary format (i.e. Linux ELF files are all that make the library stand out when compared to the ethical dependency confusion exploits which were previously shipped as plaintext.

Also, we noticed that the sample also read .bash_history or a list command and inputs entered by the user into the terminal. This is another characteristic of .

It won’t happen again. Hackers may claim that they have done ethical research.

Mid 2022 saw the hijacking of popular Python and PHP libraries and . Later it was ethical research.

We have reached out to h4ck.cfd’s owner for clarification. The domain name was registered by Namecheap just days before this incident, according to public records.

Mitigations

To prevent other attacks, the PyTorch group has changed to to refer to the ‘torchtriton” dependency to ‘pytorch–triton. They also reserved a dummy package for PyPI. To diffuse the attack, the group wants to take over the PyPI ‘torchtriton/’.

The following commands will be used to remove the malicious dependency chains:

$ Pip3 Uninstall -y Torch Torchvision TAO Audio Tender $ Pip3 Cache Purge

The following command will check for malicious binary presence and tell you if it is.

python3 -c "import pathlib;import importlib.util;s=importlib.util.find_spec('triton'); affected=any(x.name == 'triton' for x in (pathlib.Path(s.submodule_search_locations[0] if s is not None else '/' ) / 'runtime').glob('*')); print('You are {}affected'.format('' if affected else 'not '))" 

The SHA256 hash of the ‘triton’ ELF binary is: 2385b29489cd9e35f92c072780f903ae2e517ed422eae67246ae50a5cc738a0e.