torchtriton | SentinelOne

PyTorch dependency ‘torchtriton’ on PyPI Supply Chain Attack

A torchtriton package was created and placed in the PyPI (Python Package Index) code repository for Python developers, which had the same name as the one shipped on the PyTorch nightly package index. The malicious version was automatically installed as the default version when using the system’s package software instead of the original version from the repository.

The PyTorch team has issued a warning to those who installed and downloaded the PyTorch-nightly on Linux via pip between December 25, 2022, and December 30, 2022, should uninstall it and torchtriton immediately.

What are PyTorch and Torchtriton?

PyTorch is an open-source machine learning library and can be used for applications such as natural-language processing. It’s a popular choice among developers and researchers in the deep learning community due to its ease of use and simplicity.

On the other hand, the PyTorch Triton library is an extension of the PyTorch machine learning framework. It allows users to use models trained using the framework in the PyTorch in TensorRT, an inference accelerator developed by NVIDIA.

More about Dependency Confusion of Torchtriton on PyPI

What is Dependency Confusion?

Dependency confusion is a software supply chain exploit that takes advantage of a quirk in a certain package to inject potentially malicious code.

The technique of dependency confusion involves injecting potentially harmful code into the software supply chain. It can be carried out through vulnerable code repositories and package managers.

What is a Supply Chain Attack?

A supply chain attack is an attempt to take advantage of an organization’s trust relationships with external parties. It can involve using third-party software or partnerships.

What exactly happened?

In this case, a package known as torchtriton was submitted to the PyPi repository containing the same name as a previously shipped package on the PyTorch nightly index. The attacker took advantage of the system’s behavior by using the extension’s extra-index-url argument to prioritize the listed packages on PyPi.

The package named torchtriton was different from the one released to the PyPI repository. It had a malicious binary named triton installed in the path PYTHON_SITE_PACKAGES/triton/runtime/triton.

Impact of the malicious torchtriton package 

The malicious torchtriton package could send a computer’s data to a recently established domain, including its nameservers, current username, environment variables, and hostname. It also had access to view home files, home configurations, and hosts’ passwords.

Before it was taken down, the malicious torchtriton package was downloaded more than 3000 times. The main torch, on the other hand, was downloaded around 1.5 million times.

The malicious torchtriton not only scans your system for basic information, such as your IP address, current working directory, and username, but also steals sensitive data, such as;

  • Gets system information
    • nameservers from /etc/resolv.conf
    • hostname from gethostname()
    • current username from getlogin()
    • current working directory name from getcwd()
    • environment variables
  • Reads the following files
    • /etc/hosts
    • /etc/passwd
    • The first 1,000 files in $HOME/*
    • $HOME/.gitconfig
    • $HOME/.ssh/*

How to remediate the issue?

The team of PyTorch decided to change the dependency name of the torchtriton package to “pytorch-triton”. They also reserved a dummy package on the PyPI repository to prevent another attack. The PyTorch group wants to claim ownership of the package to stop the current attack.

The PyTorch Team has stated that If anyone has installed PyTorch nightly on Linux between December 25, 2022, to December 30, 2022, they should immediately uninstall it and replace it with the latest nightly binaries (Post Dec 30th 2022).


$ pip3 uninstall -y torch torchvision torchaudio torchtriton
$ pip3 cache purge

The security teams are advised to update the affected versions of the software to be replaced with nightly binaries dated December 30, 2022, or later.

Steps taken by Pytorch towards mitigation

Torchtriton was removed from nightly packages as a dependency. It was replaced with a package called pytorch-triton, and a dummy package that was registered on PyPI. This change ensures that this issue won’t happen again.

All the nightly packages that rely on the torchtriton package have been removed from the packages indices at