Malware Delivered to PyTorch Users in Supply Chain Attack

Last week’s nightly builds of the open source machine learning framework PyTorch were injected with malware following a supply chain attack.

Now part of the Linux Foundation umbrella, PyTorch is based on the Torch library and is used for applications in computer vision and natural language processing fields.

According to PyTorch’s maintainers, the attack was possible because the Python Package Index (PyPI) code repository of Torchtriton, one of PyTorch’s dependencies, was compromised and injected with malicious code.

The malicious binary, PyTorch says, was designed to be executed when the Triton package was imported. By default, PyTorch does not import the dependency and explicit code is required for this operation.

Once executed, the malicious code would upload sensitive information from the victim’s machine, targeting files of up to 99,999 bytes in size. It would upload the first 1,000 files in $HOME and all the files (of less than 99,999 bytes) in the .ssh directory.

The issue, the maintainers say, only impacts the nightly builds of PyTorch on Linux. Users of the PyTorch stable packages were not affected.

“If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022),” PyTorch announced.

PyTorch explains that the nightly builds fetched Torchtriton from PyPI instead of using the version available via the official PyTorch repository, resulting in the malicious package being installed from the PyPI code repository.

“This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default,” PyTorch explains.

The PyTorch maintainers removed Torchtriton as a dependency and replaced it with Pytorch-Triton, and also created a dummy Pytorch-Triton package on PyPI to prevent similar attacks. They removed all nightly packages that depend on Torchtriton from their package indices.

PyTorch has shared details on how users can search for the malicious binary in the Torchtriton package and says they informed the PyPI security team of the incident.

Related: US Gov Issues Software Supply Chain Security Guidance for Customers

Related: Hundreds Infected With ‘Wasp’ Stealer in Ongoing Supply Chain Attack

Related: OpenSSF Adopts Microsoft-Built Supply Chain Security Framework