PyTorch Poisoned in Software Supply Chain Attack
If you downloaded PyTorch-nightly on Linux via pip between Dec. 25, 2022, and Dec. 30, 2022, you’ve got trouble.
Someone, we still don’t know who, uploaded a poisoned Python Package Index (PyPI) dependency that hid under the real dependency name, torchtriton. Once in place, the fake torchtriton 3.0.0 would run a malicious binary.
Once in place, this would grab the following system information:
- nameservers from /etc/resolv.conf
- hostname from gethostname()
- current username from getlogin()
- current working directory name from getcwd()
- environment variables
- Read the following files
- The first 1,000 files in $HOME/*
- Upload all of this information, including file contents, via encrypted DNS queries to the domain *.h4ck[.]cfd, using the DNS server wheezy[.]io.
Just What You Need After the Holidays, Right?
The good news is that this supply chain attack only hit the nightly builds. If you weren’t using these, you’d be safe.
You might wonder how this could happen since the malicious code wasn’t copied over the good version. The PyTorch Team explained, “Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third-party index, and pip will install their version by default.”
Still, the good news is that it was “only” the nightly. The bad news is PyTorch is very popular with cutting-edge, machine-learning developers. So, the malware version of torchtriton ended up being downloaded 2,386 times. That’s a lot of fouled-up developer machines.
So, what do you do now?
First, check to see if you have a case with the following command:
python3 -c "import pathlib;import importlib.util;s=importlib.util.find_spec('triton'); affected=any(x.name ==
If you dump the bad file as soon as possible. You do that by uninstalling it and replacing it with a nightly binary dated December 31st, 2022, or later with the command:
$ pip3 uninstall -y torch torchvision torchaudio torchtriton
$ pip3 cache purge
This attack was easier than you might think. As Henrik Plate, an Endor Labs security researcher, observed, “Dependency confusion attacks were among the most prominently used attack vectors in 2022, most of which target company-internal packages hosted on private binary repositories (rather than open source packages as in the case of PyTorch). That’s because it’s relatively cheap to craft (and automate) such attacks because attackers don’t need to interfere with any resources of an existing, legitimate project. Instead, they can reserve the name of a legitimate package in a public package repository such as PyPI or npm.”
So, once more, with feeling, adopt a security scanner rather than just trusting that the freshest code is safe. There are a lot of hackers out there ready and waiting to insert bad code into your programs and onto your machines.