FYI-Compromised PyTourch

To anyone who installed Pytorch-nightly between Dec 25th and 30th, see Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. | PyTorch and run python3 -c “import pathlib;import importlib.util;s=importlib.util.find_spec(‘triton’); affected=any(x.name == ‘triton’ for x in (pathlib.Path(s.submodule_search_locations[0] if s is not None else ‘/’ ) / ‘runtime’).glob(‘*’));print(‘You are {}affected’.format(‘’ if affected else 'not '))” to see if your machine was infected or not!

Pytorch-nightly had a supply chain attack via a pip dependency confusion vulnerability (the torchtriton package, torchtriton · PyPI (no longer on pip)). The malware steals credentials++.

Calling history | grep pytorch.org/whl/nightly shows if it was installed at some point but not when. Calling python3 pip-date.py | grep torchtriton (GitHub - E3V3A/pip-date: A simple CLI tool to show the installation/modification times of all your pip packages) should tell the date of installment afaik but doesn’t work on venvs sadly. This fork attempts to do that GitHub - Poil/pip-date: A simple CLI tool to show the installation/modification times of all your pip packages but it lags behind upstream so I don’t know how bugged it is. :crossed_fingers:

Probably a good time for a mod or admin to @ people tbh.
(Source: User Perceptron via the discord “off-topic” channel)

3 Likes

Thank you for the information. Will check it.