During the holiday season, it’s easy for anyone to abandon cyber hygiene or miss signs of cyberattacks. Recently, threat actors compromised a PyPI code repository, leading to malicious PyTorch dependency.
Pwned PyTorch on Linux
Hackers created a Python package called torchtriton on PyPI, which is identical to the name of a package in the PyTorch system itself.
- The package contains the Triton malware executable that specifically targets 64-bit Linux environments.
- The malware steals sensitive data, including system information such as hostname, username, local Git configuration, SSH keys, and the first 1,000 other files in the home directory smaller than 100 KB in size.
- Rather than exfiltrating the data, the malware compresses, scrambles, and text-encodes it into a sequence of what looks like server names belonging to a domain name (h4ck[.]cfd) controlled by the criminals.
- The servers leak access keys under the guise of a simple lookup that is directed to the official DNS server wheezy[.]io.
Worth noting
- Anyone who installed PyTorch-nightly on Linux via pip between December 25, 2022, and December 30, 2022, certainly ended up with data-stealing malware on their computer systems. PyTorch stable version users are not affected by this attack.
- It has been observed that the malicious package was already downloaded more than 2,300 times within the past week.
- Experts believe this malicious version would only run on Windows computers if the Windows Subsystem for Linux (WSL) was installed.
Mitigations
PyTorch has removed torchtriton as a dependency for its nightly packages and replaced it with an empty package of the same name. PyTorch has published a list of IoCs that developers or enthusiasts can search for across their network. Users are suggested to stick to the stable version.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/12ec_shutterstock_687323650.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9185_shutterstock_1339090742.jpeg)
