Python developers are being warned to check they haven’t installed a malicious package and if they have to take action immediately to remove it. Known as “torchtriton”, it is delivered through the Python Package Index (PyPi) and shares a name with a genuine package operated by the PyTorch Foundation.

PyPi vulnerability: Developers warned about rogue package
When installing via PIP packages logged with the Python Package Index take precedence over other indices. (Photo by Trismegist san/Shutterstock)

It is likely a small group of users unintentionally installed the malicious code due to a quirk in the way Python packages are handled and distributed, with those accustomed to installing the latest preview builds of libraries most at risk.

The malicious version of the package was able to send system data from a computer to a recent domain, including nameservers, hostname, current username, current working directly and environment variables. It was also able to read hosts, passwords, the first 1,000 files in home and configuration details.

It was then able to upload all of the information, including the contents of files, through an encrypted DNS query to a specific host server. In a statement to Bleeping Computer, the person behind the malicious package claimed it was “not intended to be malicious” and instead used for research. The developer claims to have reported the bug to Meta, which created the PyTorch framework, on December 29, as well as to other companies affected by the vulnerability. They say they offered to hand over control of the package but have not had any replies.

“I understand that I could have done a better job to not send all of the user’s data,” the hacker wrote in an email, explaining that previously when investigating these types of issues it wasn’t possible to identify the victims by their hostname, username and CWD so had it sent more data this time. “Looking back this was wrong decision and I should have been more careful.”

The hacker says they are behind the h4ck.cfd website where the data is being uploaded. A message on the site reads: “If you stumbled on this in your logs, then this is likely because your Python was misconfigured and was vulnerable to a dependency confusion attack.”

The “research” note goes on to say that the hacker will delete all of the metadata about the compromised servers once companies and individuals have been identified and they have been able to report the findings. It isn’t clear if this actually happened.

PyPi vulnerability: dummy package logged

Open-source machine learning framework PyTorch, developed by Meta and now part of the Linux Foundation, produces a dependency called “torchtriton”, a language and compiler for custom deep learning operations, that it hosts on its own PyTorch nightly package Index.

Installing it via that particular library is safe, but over the Christmas break a package with the same name, containing malicious code, was uploaded to the Python Package Index (PyPi) and that is where the issues come from as many developers install libraries using the “pip” command, which defaults to PyPi hosted files.

The issue was quickly spotted by the PyTorch Foundation which has since renamed its own dependency to “pytorch-torchtriton”, registered it as a dummy package on PyPi to prevent similar attacks and asked PyPi to hand ownership of “torchtriton” to it and delete the malicious version.

Developers should run a pip3 uninstall comment on “torch torchvision torchaudio torchtriton” then purge the cache, switch to PyTorch stable and then reinstall torchtriton. PyTorch says it has also removed all nightly packages that depend on torchtriton, not just torchtriton itself, until they can be verified.

Tzachi Zorn, Head of SCS at Checkmarx wrote in a Medium blog that PyTorch had effectively been “poisoned with a malicious dependency” that lasted about five days. It specifically targeted developers using Linux systems and contained an executable written in C++.

This form of “dependency confusion technique” was first revealed in 2021 and has been used multiple times in different package registries including PyPi and NPM, explained Zorn.

“Despite any messages or disclaimers that may have been included, it is clear that the package in question is malicious,” he said. “This is not acceptable behaviour for a security researcher and simply claiming to be a security researcher does not give someone permission to engage in malicious activity.”

Read more: AI coding assistants leave developers “deluded” about the quality of their software