PyTorch warns of malware spread via dependency confusion

The developers of machine learning framework PyTorch are warning users that an infected, counterfeit library has been put online. This would steal technical information from an infected system. The dependency was said to have been downloaded 2300 times.

The developers of the widely used open source machine learning framework write in a blog post that an infected binary was uploaded by attackers in the last week of the year. This concerns the PyTorch library torchtriton, which is automatically installed with the nightly version for Linux. The developers are warning anyone who downloaded PyTorch-nightly via pip between December 25 and December 30 to uninstall it immediately. A new binary has now been released that does not contain the infected library.

During that period, attackers uploaded an infected version of torchtriton to the Python Package Index. That PyPI always looks at the first package that is uploaded with a certain name; If an attacker uploads an infected package, it will be the first to be included in a download via pip. This is also called dependency confusion, although such attacks are relatively rare.

In practice, this means that anyone who downloaded the PyTorch nightly binary in that week did not get the authentic, but the infected Torchtriton dependency installed. That malware was able to steal data from the infected system. This included information from /etc/passwd and possible ssh keys. Information is also stolen that allows devices to be fingerprinted.

The developers of PyTorch have temporarily removed torchtriton from the nightly package and are in contact with PyPI to remove the malware from the binary. They also shared a SHA256 hash and described a way to check if user systems are infected.