Malware Extension in PyPI Downloaded Over 2,300 Times
But should you lose sleep over it?
PyTorch developers and researchers have identified a malware extension in Python Package Index (PyPI) code repository, which was downloaded over 2,300 times. Researchers have warned of a dependency confusion attack for those who downloaded the framework over the holidays.
Initially developed by Meta Platforms (then Facebook), PyTorch, now managed by the Linux Foundation under PyTorch Foundation, was compromised, leading to fears of supply-chain attacks.
Users who downloaded and installed PyTorch-nightly between December 25th and December 30th, 2022, need to uninstall the framework and torchtriton library immediately. The latest supply chain security issue came to light just before the 2023 new year’s eve.
If you installed PyTorch-nightly on Linux between Dec. 25 and Dec. 30, uninstall it and torchtriton immediately and use the latest nightly binaries.
Read the security advisory here: https://t.co/jnCSGXJRY0 pic.twitter.com/dRdbnKMPBT
— PyTorch (@PyTorch) December 31, 2022
According to PyTorch maintainers, the codebase of the open-source Python-based machine learning framework remains unimpacted. However, a malicious extension named torchtriton made its way into PyPI, the third-party extension hosting service of PyTorch.
The malicious package bears the same name as the legitimate torchtriton library. “Since the PyPI index takes precedence [in the Python ecosystem], this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third-party index, and pip will install their version by default,” PyTorch explained.
“The malicious binary is executed when the triton package is imported, which requires explicit code to do and is not PyTorch’s default behavior.” This neat little trick enabled threat actors to spread the package to thousands (as discovered by BleepingComputer) in the week after Christmas and before the New Year.
“At this point, we’ll mention the good news: only those who fetched the so-called ‘nightly,’ or experimental, version of the software were at risk. (The name ‘nightly’ comes from the fact that it’s the very latest build, typically created automatically at the end of each working day.),” explained Sophos’ principal research scientist Paul Ducklin.
“Most PyTorch users will probably stick to the so-called ‘stable’ version, which was not affected by this attack.”
The threat from the malicious package includes the ability to access and read the following files:
- / etc / hosts
- / etc / passwd
- The first 1,000 files in $HOME/*
- $HOME/.gitconfig (local Git configuration)
- $HOME/.ssh/* (SSH keys)
It can also spy on the target’s IP address and username, and get system information including:
- nameservers from / etc / resolv.conf
- hostname from gethostname()
- current username from getlogin()
- current working directory name from getcwd()
- environment variables
See More: Microsoft Suspends Dev Accounts That Used Its Certs to Authenticate Malware
Once accessed, the package enables a threat actor to upload this to the domain *.h4ck[.]cfd, using the DNS server wheezy[.]io via encrypted DNS queries.
However, a notice on h4ck.cfd claims all of this was ethical research. It reads:
“Hello, if you stumbled on this in your logs, then this is likely because your Python was misconfigured and was vulnerable to a dependency confusion attack. To identify companies that are vulnerable the script sends the metadata about the host (such as its hostname and current working directory) to me. After I’ve identified who is vulnerable and reported the finding all of the metadata about your server will be deleted.”
In their response to BleepingComputer, the h4ck.cfd domain owner apologized and accepted the blame for any disruptions, and said all data they received was deleted.
Nevertheless, there is a simple mitigation measure to stay safe from the malicious dependency – uninstall torchtriton using the following commands and update the framework to the latest release, i.e., those after December 30, 2022.
$ pip3 uninstall -y torch torchvision torchaudio torchtriton $ pip3 cache purge
Additionally, PyTorch has renamed the torchtriton dependency and replaced it with pytorch-triton and has also created a dummy package of the same name on PyPI.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock