Wiz

Malicious PyTorch dependency 'torchtriton' on PyPI: everything you need to know

The developers of PyTorch (a popular machine-learning framework) recently identified a malicious dependency confusion attack on the open-source project. Security teams are advised to check for infected resources and rotate any exposed keys.

3 minutes read
Merav Bar

A package called torchtriton was uploaded to the Python Package Index (PyPI) code repository, with the same name as the package shipped on the PyTorch nightly package index. Due to the way pip (a package-management system for Python) handles package installation, the malicious version was being installed by default, instead of the legitimate version from the official repository. This means that anyone who downloaded the nightly build between December 25, 2022 and December 30, 2022 infected their machine. Security teams are advised to look for contaminated resources and rotate any discovered keys. 

The creator of the copied package has stated they had no malicious intent and have since deleted all the collected data. Given this claim has not been verified, it is still highly recommended to uninstall the package if the nightly build was installed during the relevant period and revoke any secrets that were stored on impacted resources. 

The malicious version of torchtriton was ultimately removed from PyPi and replaced with a placeholder package named pytorch-triton

What is the malicious “torchtriton” dependency? 

Dependency confusion is a technique used to exploit the software supply chain by injecting unwanted and potentially malicious code via vulnerable package managers and code repositories. 

Open-source projects can be susceptible to dependency confusion attacks as a result of misconfigurations, particularly if they list their own internal versions of packages as dependencies but don't claim dummy versions or namespaces on public repositories. For example, two npm packages that were previously used by AWS and later delisted were reclaimed by attackers and replaced with fake versions that injected malicious code to exfiltrate user information. 

In this case, a package called torchtriton was uploaded to the PyPi repository with the exact same name as a package shipped on the PyTorch nightly package index. The attacker took advantage of pip’s behavior, which prioritizes packages listed on PyPi over other available versions when using the extra-index-url argument. 

The package was downloaded over 3,000 times before it was taken down, whereas the main PyTorch package torch that lacks the malicious code was downloaded approximately 1.5 million times during the same period. 

The torchtriton package that was uploaded to the PyPI repository differs from the legitimate version in that it contains a malicious binary called triton that was installed in the path PYTHON_SITE_PACKAGES/triton/runtime/triton

The malicious binary appears to be designed to collect information from target systems, including the following: 

  • nameservers from /etc/resolv.conf 

  • hostname from gethostname()

  • current username from getlogin()

  • current working directory name from getcwd()

  • environment variables 

Additionally, it copies information from the following files: 

  • /etc/hosts

  • /etc/passwd

  • The first 1,000 files in $HOME/*

  • $HOME/.gitconfig

  • $HOME/.ssh/

The malware then uploads all this information, including file contents, via DNS tunneling to the domain .h4ck[.]cfd using the DNS server wheezy[.]io

Indicators of compromise: 

  • SHA256 hash of the malicious package - 2385b29489cd9e35f92c072780f903ae2e517ed422eae67246ae50a5cc738a0e

  • SHA1 hash of the malicious package - 
    9c89731a94dd4f2a594a22c1b171cb6c20f55e41

Which products are affected? 

PyTorch-nightly on Linux installed via pip between December 25, 2022 and December 30, 2022. 

Users of the PyTorch stable packages are not affected by this issue. 

Which actions should security teams take? 

The PyTorch developers have recommended using the following command to check whether the malicious binary has been included in the torchtriton package in your current Python environment: 

python3 -c "import pathlib;import importlib.util;s=importlib.util.find_spec('triton'); affected=any(x.name == 'triton' for x in (pathlib.Path(s.submodule_search_locations[0] if s is not None else '/' ) / 'runtime').glob('*'));print('You are {}affected'.format('' if affected else 'not '))

Note that the malicious binary is only executed when the triton package is imported, which requires explicit code and does not reflect PyTorch’s default behavior. 

If you suspect your environment is affected, you can run these commands to uninstall the package: 

$ pip3 uninstall -y torch torchvision torchaudio torchtriton  

$ pip3 cache purge 

Impacted organizations are advised to scan for secrets in any affected resources and rotate any discovered keys. 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for infected instances in their environment. 

References 

PyTorch advisory 

Tags
#Research#Security

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo