Python developers, uninstall this malicious package now.

[ad_1]

If you’re a Python developer who’s used to installing the latest preview builds of libraries, you’ll want to take mitigation action immediately. PyTorch, an open-source machine learning framework originally developed by Meta and now under the Linux Foundation, has apparently become the target of a supply chain attack, potentially harming many users. The package has to be installed.

An empty Jupyter notebook and a command prompt open in Windows 10.

Basically, PyTorch-nightly takes advantage of a dependency called “torchtriton”. While the library hosted on the PyTorch Knight package index is not malicious at all, a problematic package with the same name was uploaded to the Python Package Index (PyPI) repository over the holidays.

When Python developers install libraries, they usually use the “pip” command in the terminal. However, this overrides the PyPI repository, which meant that instead of installing TorchTriton from PyTorch, malicious binaries were being installed by PyPI on user machines.

Fortunately though, the apparent dependency confusion attack has likely not affected the mainstream Python development community. This is because it only affects PyTorch-nightly users who installed the package on Linux between December 25th and December 30th. Users of stable packages are not affected.

After the discovery of the malicious torchtriton package, the PyTorch development team published a disclosure, and renamed the torchtriton package to “pytorch-torchtriton” and added it to a dummy package on PyPI to prevent similar attacks in the future. Registered as Any nightly packages using the old name have been removed for now and the team has also contacted PyPI to take ownership of the “torchtriton” name and delete the malicious version.

An investigation by PyTorch determined that the malicious torchtriton package sent system data from the user’s computer to the current domain, as described below:

  • Get system information.

    • Nameservers from /etc/resolv.conf
    • The hostname from gethostname()
    • Current username from getlogin()
    • The name of the current working directory from getcwd()
    • Environmental variations
  • Read the following files

    • /etc/hosts
    • /etc/passwd
    • First 1,000 files in $HOME/*
    • $HOME/.gitconfig
    • $HOME/.ssh/*
  • Upload all this information, including the file contents, to the domain *.h4ck via encrypted DNS queries.[.]cfd, using DNS server wheezy[.]io

In a statement to Bleeping Computer, the owner of the malicious TorchTriton package and the domain to which the user data was being sent defended their actions as ethical research. He emphasized that:

Hey, I’m the one who claimed the torchtriton package on PyPi. Note that this was not intended maliciously!

I think I could have done a better job of not sending all the user data. The reason I send more metadata is that when investigating dependency confusion issues in the past, in many cases it was not possible to identify victims by their hostname, username, and CWD. This is why this time I decided to send more data, but looking back it was a bad decision and I should have been more careful.

I accept the blame and apologize. At the same time, I want to assure that my intention was not to steal anyone’s secrets. I reported the vulnerability to Facebook on December 29th (about three days before the announcement) after confirming that the vulnerability did indeed exist. I also made several reports to other companies that were affected by their HackerOne programs. If my intentions were malicious, I would never fill out the bug bounty reports, and just sell the data to the highest bidder.

Once again I apologize for any disruption, I can assure you that all data I received has been deleted.

By the way in my bug report on Facebook I already offered them to port the PyPi package, but so far I haven’t received any response from them.

Developers who installed PyTorch Nightly between December 25th and December 30th last year should double-check their systems and run the following commands via pip.

$ pip3 uninstall -y torch torchvision torchaudio torchtriton

$ pip3 cache purge

Likewise, it is also recommended to either switch to PyTorch stable for now or update to the nightly package released after December 30th.

Source: Pi flashlight through Bleeping computer



[ad_2]

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

x