Malicious PyTorch Package Downloaded Thousands of Times

0
9

The developer behind a leading open source machine learning framework has warned that a malicious dependency mimicking one of its own was available on a leading code repository over the Christmas period.

The malicious package, “torchtriton,” had the same name as a legitimate PyTorch dependency, but featured code that uploaded sensitive data from a victim’s machine, PyTorch explained.

“At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch-nightly package index,” it said in a blog post.

“Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third-party index, and pip will install their version by default.”

PyTorch urged anyone who installed PyTorch-nightly on Linux via pip between December 25–30 2022 to uninstall both it and torchtriton immediately, and use the latest nightly binaries – from after December 30.

Statistics from January 1 revealed that over 2300 developers had downloaded the malicious package over the previous week, potentially putting their projects at risk.

Endor Labs security researcher, Henrik Plate, argued that attackers are increasingly gravitating away from exploiting CVEs and towards manipulating maintainers and users, with techniques that are harder to detect via traditional bug scanning.

“The technique used in the attack is similar to the well-known dependency confusion, and exploits setups where multiple package repositories are used for downloading project dependencies,” he explained.

“Depending on the resolution algorithm of the package manager, e.g., the order in which repositories are contacted, an attacker can make the package manager download his malicious package rather than the legitimate one.”

Source