TNS
VOXPOP
How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
0%
No change in plans, though we will keep an eye on the situation.
0%
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
0%
What recent turmoil?
0%
Security

PyTorch Poisoned in Software Supply Chain Attack

If you downloaded PyTorch-nightly on Linux via pip between Dec. 25, 2022, and Dec. 30, 2022, you've got trouble.
Jan 9th, 2023 4:00am by
Featued image for: PyTorch Poisoned in Software Supply Chain Attack

If you downloaded PyTorch-nightly on Linux via pip between Dec. 25, 2022, and Dec. 30, 2022, you’ve got trouble.

Someone, we still don’t know who, uploaded a poisoned Python Package Index (PyPI) dependency that hid under the real dependency name, torchtriton. Once in place, the fake torchtriton 3.0.0 would run a malicious binary.

Once in place, this would grab the following system information:

  • nameservers from /etc/resolv.conf
  • hostname from gethostname()
  • current username from getlogin()
  • current working directory name from getcwd()
  • environment variables
  • Read the following files
    • /etc/hosts
    • /etc/passwd
    • The first 1,000 files in $HOME/*
    • $HOME/.gitconfig
    • $HOME/.ssh/*
  • Upload all of this information, including file contents, via encrypted DNS queries to the domain *.h4ck[.]cfd, using the DNS server wheezy[.]io.

Just What You Need After the Holidays, Right?

The good news is that this supply chain attack only hit the nightly builds. If you weren’t using these, you’d be safe.

You might wonder how this could happen since the malicious code wasn’t copied over the good version. The PyTorch Team explained, “Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third-party index, and pip will install their version by default.”

Whoops

Still, the good news is that it was “only” the nightly. The bad news is PyTorch is very popular with cutting-edge, machine-learning developers. So, the malware version of torchtriton ended up being downloaded 2,386 times. That’s a lot of fouled-up developer machines.

So, what do you do now?

First, check to see if you have a case with the following command:


If you dump the bad file as soon as possible. You do that by uninstalling it and replacing it with a nightly binary dated December 31st, 2022, or later with the command:


This attack was easier than you might think. As Henrik Plate, an Endor Labs security researcher, observed, “Dependency confusion attacks were among the most prominently used attack vectors in 2022, most of which target company-internal packages hosted on private binary repositories (rather than open source packages as in the case of PyTorch). That’s because it’s relatively cheap to craft (and automate) such attacks because attackers don’t need to interfere with any resources of an existing, legitimate project. Instead, they can reserve the name of a legitimate package in a public package repository such as PyPI or npm.”

So, once more, with feeling, adopt a security scanner rather than just trusting that the freshest code is safe. There are a lot of hackers out there ready and waiting to insert bad code into your programs and onto your machines.

Based on Python, Pytorch is a popular open source machine learning framework, with support for a wide variety of mathematical operations and deep learning operations.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.