PyTorch warns about malware spread via dependency confusion
The developers of machine learning framework PyTorch warn users that an infected, counterfeit library has been posted online. It would steal technical information from an infected system. The dependency would have been downloaded 2300 times.
Write the developers of the widely used open source machine learning framework in a blog post that an infected binary was uploaded by attackers in the last week of the year. It concerns the PyTorch library torchtriton, which is installed automatically with the nightly version for Linux. The developers warn anyone who downloaded PyTorch-nightly via pip between December 25 and December 30 to uninstall it immediately. A new binary has now been released that does not contain the infected library.
During that time, attackers uploaded an infected version of torchtriton to the Python Package Index. That PyPI always looks at the first package uploaded with a given name; if an attacker uploads an infected package, it will be included first in a pip download. This is also referred to as a dependency confusion, although such attacks are relatively rare.
In practice, this means that everyone who downloaded the PyTorch nightlybinary during the week in question did not get the authentic, but the infected torchtriton dependency installed. That malware could steal data from the infected system. This included information from /etc/passwd and possible ssh keys. Information is also stolen with which devices can be fingerprinted.
The developers of PyTorch have temporarily removed torchtriton from the nightlypackage and are in contact with PyPI to remove the malware from the binary. They also shared a SHA256 hash and described a way to check if user systems are infected.