PyTorch Identifies Malicious Dependency in its Nightly Build

PyTorch maintainers have discovered a malicious dependency affecting a nightly build version of the machine learning (ML) framework.

Users who installed PyTorch-nightly Linux packages over the holidays via pip might have inadvertently installed a compromised dependency that ran a malicious binary.

The rogue component, torchtriton, is a legitimate library used by the open-source ML framework that was uploaded as part of a dependency confusion attack.

Perpetrators uploaded a malicious version of torchtriton on the Python Package Index (PyPI) code repository using the same package name as the official PyTorch nightly package index.

“Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository,” reads PyTorch’s announcement. “This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default.”

The malware-laced torchtriton dependency scouts for basic fingerprinting info, including usernames, IP addresses and the current working directory. It can also retrieve sensitive data such as current usernames and environment variables, and read the following files:

• /etc/hosts
• /etc/passwd
• The first 1,000 files in $HOME/*
• $HOME/.gitconfig
• $HOME/.ssh/*

Once the recon work is done, the malware exfiltrates harvested data and file contents to “*.h4ck[.]cfd, using the DNS server wheezy[.]io” through encrypted DNS queries.

“If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022),” warns PyTorch.

To mitigate the incident, torchtriton was removed as a PyTorch nightly dependency and replaced with pytorch-triton. The framework’s maintainers also temporarily removed all nightly packages that depend on torchtriton, took proper ownership of the PyPI torchtriton package and removed the malicious version.