Pierluigi Paganini January 02, 2023

Threat actors compromised the PyTorch Machine Learning Framework by adding a malicious dependency.

The maintainers of the PyTorch package warn of a supply chain attack. Users who have installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, to uninstall it and use the latest binaries.

“If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022).” reads the advisory published by the maintainers of the framework. “PyTorch-nightly Linux packages installed via pip during that time installed a dependency, torchtriton, which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary. “

PyTorch is a machine learning framework based on the Torch library, used for applications such as computer vision and natural language processing, originally developed by Meta AI and now part of the Linux Foundation umbrella.

PyTorch, analogous to Keras and TensorFlow, is an open source Python-based machine learning framework that was originally developed by Meta Platforms.

The attack was discovered on December 30, at 4:40 p.m. GMT. Threat actors uploaded a malicious version of a legitimate dependency named torchtriton to the Python Package Index (PyPI) code repository.

According to the advisory, the supply chain attack directly affects dependencies for packages that are hosted on public package indices.

In order to determine if a Python environment is affected or not, the maintainers recommends to run the following command to searches for the malicious binary in the torchtriton package (PYTHON_SITE_PACKAGES/triton/runtime/triton):

python3 -c "import pathlib;import importlib.util;s=importlib.util.find_spec('triton'); affected=any(x.name == 

The advisory points out that the malicious binary is executed when the triton package is imported, which requires explicit code to do.

The malicious binary performs the following actions:

• Get system information;

• Reads the following files:
  • /etc/passwd
  • /etc/hosts
  • The first 1,000 files in $HOME/*
  • $HOME/.gitconfig
  • $HOME/.ssh/*

• Exfiltrate the collected data via encrypted DNS queries to the domain *.h4ck[.]cfd, using the DNS server wheezy[.]io

Is is a real supply chain attack?

BleepingComputer first reported that the individuals behind the domain h4ck[.]cfd claim to be researchers analyzing the Python environments vulnerable to “a dependency confusion attack”.

"Hello, if you stumbled on this in your logs, then this is likely because your Python was misconfigured and was vulnerable to a dependency confusion attack. To identify companies that are vulnerable the script sends the metadata about the host (such as its hostname and current working directory) to me. After I've identified who is vulnerable and repoterted the finding all of the metadata about your server will be deleted." reads a notice that was displayed on the domain.

The torchtriton has been removed as a dependency and replaced with pytorch-triton (pytorch/pytorch#91539) and a dummy package registered on PyPI.

“This is not the real torchtriton package but uploaded here to discover dependency confusion vulnerabilities,” stated the PyPI page for torchtriton, now removed. “You can get the real torchtriton from https://download.pytorch[.]org/whl/nightly/torchtriton/.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PyPI)

[adrotate banner=”5″]

[adrotate banner=”13″]