Popular machine learning platform suffers supply chain attack

Updated on: 15 November 2023

Jurgita Lapienytė
Chief Editor

The open-source machine learning framework, PyTorch, was spoofed by attackers these past holidays in an attempt to steal developer passwords and SSH keys (access credentials in the SSH protocol.)

PyTorch is used by developers to “accelerate the path from research prototyping to production deployment.”

Over the holidays, it disclosed a supply chain attack.

“If you installed PyTorch-nightly on Linux via pip between December 25, 2022, and December 30, 2022, please uninstall it and torchtriton immediately. [...] PyTorch-nightly Linux packages installed via pip during that time installed a dependency, torchtriton, which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary. This is known as a supply chain attack and directly affects dependencies for packages hosted on public package indices.”

Henrik Plate, a security researcher at Endor Labs, a recently launched start-up to protect open-source software, explained that attackers “created a malicious open source dependency by the same name as the real one, tricking some developers into downloading the malicious one, which was laced with a payload that would allow them to steal passwords and SSH keys.”

He believes that attackers are shifting away from exploiting traditional vulnerabilities and instead focusing on manipulating maintainers and users.

“The technique used in the attack is similar to the well-known dependency confusion and exploits setups where multiple package repositories are used for downloading project dependencies. Depending on the resolution algorithm of the package manager, e.g., the order in which repositories are contacted, an attacker can make the package manager download his malicious package rather than the legitimate one,” he explained.

According to Plate, dependency confusion attacks were among the most prominent attack vectors in 2022, primarily targeting company internal packages hosted on private binary repositories (rather than open-source packages, as in the case of PyTorch).

“That’s because it’s relatively cheap to craft (and automate) such attacks because attackers don’t need to interfere with any existing, legitimate project resources. Instead, they can reserve the name of a legitimate package in a public package repository such as PyPI or npm,” he said.

Since many organizations rely heavily on open-source software, the incident should raise the alarm.

“Organizations need to find ways to maintain the speed and productivity OSS enables without compromising security. The first steps are to examine the process of selecting OSS dependencies and understanding how to select more sustainable ones that will reduce long-term risk.”