AISec Case Study - Compromised PyTorch Dependency Chain
Compromised PyTorch Dependency Chain
Case Study Number - AISec-0002/24
Summary
In a striking breach of security, malicious binaries masquerading as PyTorch dependencies compromised sensitive data on numerous Linux systems through PyPI, unveiling the dangers of dependency confusion in software supply chains.
Threat Capability Level (all levels) – Productionised and Deployed: TRL9
Primary Threat Vector - Deepfake
Date – December 2022
Reporter – PyTorch
Actor – Unknown
Target - PyTorch
Incident Detail
Linux packages for PyTorch's pre-release version, known as Pytorch-nightly, were compromised from 25 to 30 December 2022 by a malicious binary uploaded to the Python Package Index (PyPI) code repository. The malicious binary bore the same name as a PyTorch dependency, leading the PyPI package manager (pip) to install this malevolent package instead of the legitimate one.
This supply chain attack, also termed "dependency confusion," compromised sensitive information on Linux machines that had the affected pip-installed versions of PyTorch-nightly. On 30 December 2022, PyTorch announced the breach and initial steps towards mitigation, including the renaming and removal of torchtriton dependencies.
Tactics, Techniques, and Procedures
Mitigations
Undertake an AI security assessment (link).
Catalogue your AI infrastructure assets (hardware and software).
Employ a Secure by design methodology for the development of your AI products and services.
Gain a comprehensive understanding of your supply chain and construct your AI Bill of Materials (AIBOM).
Maintain an Open Source Intelligence (OSINT) feed to stay abreast of emerging AI threat vectors.
Autonomously track, prioritise, and document your vulnerabilities – there are too many for humans to do it.
Utilise a quantitative risk management strategy that justifies investment returns of your control measure.
Initiate a consultation call or go to my useful resources for AI Security.