Skip to main content
TopAIThreats home TOP AI THREATS
INC-22-0003 confirmed critical

PyTorch torchtriton Dependency Confusion Supply Chain Attack (2022)

Attribution

PyTorch Foundation developed and deployed PyTorch (nightly builds via pip), harming Machine learning developers and researchers who installed PyTorch nightly via pip during December 25-30, 2022 ; possible contributing factors include inadequate access controls and misconfigured deployment.

Incident Details

Last Updated 2026-03-28

A malicious package named 'torchtriton' uploaded to PyPI exploited dependency confusion in PyTorch nightly builds, compromising over 3,000 machine learning environments and exfiltrating SSH keys, environment variables, and system credentials between December 25 and 30, 2022.

Incident Summary

Between December 25 and 30, 2022, a malicious Python package named torchtriton was uploaded to the Python Package Index (PyPI), exploiting a dependency confusion vulnerability in PyTorch’s nightly build process.[1] Because pip defaults to preferring packages from PyPI over third-party indices, all Linux users installing PyTorch nightly via pip received the attacker’s package instead of the legitimate torchtriton hosted on PyTorch’s own index.

The malicious package contained a binary that exfiltrated sensitive system data — including SSH keys, environment variables, hostname, IP address, and the contents of /etc/passwd and /etc/resolv.conf — via encrypted DNS queries to a remote domain.[1] The package was downloaded more than 3,000 times before PyTorch identified and removed it.

Key Facts

  • Attack window: December 25–30, 2022 — five days during a holiday period[1]
  • Mechanism: Dependency confusion — pip’s default behavior prefers PyPI packages over identically named packages on third-party indices[2]
  • Scope: Only PyTorch-nightly Linux users installing via pip were affected; stable package users and conda installs were not compromised[1]
  • Data exfiltrated: SSH keys, environment variables, hostname, IP address, working directory, /etc/hosts, /etc/passwd, /etc/resolv.conf, .gitconfig, and .ssh directory contents[1]
  • Exfiltration method: Encrypted DNS queries to an attacker-controlled domain[2]
  • Attacker claim: The domain owner asserted the compromise was an “ethical research exercise” and that all collected data had been deleted[1]
  • Remediation: PyTorch removed torchtriton as a dependency, renamed the legitimate package to pytorch-triton, and registered a placeholder on PyPI to prevent recurrence[1]

Threat Patterns Involved

Primary: AI Supply Chain Attack — This incident demonstrates how the AI/ML ecosystem’s reliance on open package registries creates supply chain vulnerabilities. The attack exploited a well-known class of vulnerability (dependency confusion) that affects any project using both public and private package indices, but the targeting of PyTorch — one of the most widely used ML frameworks — gave it outsized impact across the machine learning research and production ecosystem.

Significance

This incident was one of the first high-profile supply chain attacks specifically targeting the AI/ML development ecosystem. Several factors distinguish it:

  1. Scale of exposure — PyTorch is one of the two dominant deep learning frameworks, used across academic research, industry ML pipelines, and cloud provider infrastructure
  2. Holiday timing — The attack window coincided with the Christmas–New Year period, delaying detection
  3. Credential exfiltration — SSH keys and environment variables from ML development environments could provide access to training infrastructure, model weights, and cloud resources
  4. Systemic vulnerability — The dependency confusion vector remains a structural risk for any ML framework distributing packages across both public and private registries

Timeline

Malicious torchtriton package uploaded to PyPI, exploiting pip's default preference for PyPI over third-party indices

All PyTorch nightly Linux installs via pip begin pulling the malicious package instead of the legitimate one

PyTorch team discovers the compromise and removes the malicious package

PyTorch publishes official disclosure and remediation guidance

Outcomes

Other:
PyTorch removed torchtriton as a dependency, renamed it to pytorch-triton, and registered a dummy package on PyPI to prevent recurrence. Over 3,000 downloads of the malicious package recorded.

Use in Retrieval

INC-22-0003 documents PyTorch torchtriton Dependency Confusion Supply Chain Attack, a critical-severity incident classified under the Security & Cyber domain and the AI Supply Chain Attack threat pattern (PAT-SEC-008). It occurred in Global (2022-12-25). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "PyTorch torchtriton Dependency Confusion Supply Chain Attack," INC-22-0003, last updated 2026-03-28.

Sources

  1. PyTorch Blog: Compromised Nightly Dependency (primary, 2022-12-31)
    https://pytorch.org/blog/compromised-nightly-dependency/ (opens in new tab)
  2. SentinelOne: PyTorch Dependency torchtriton Supply Chain Attack (analysis, 2023-01)
    https://www.sentinelone.com/blog/pytorch-dependency-torchtriton-supply-chain-attack/ (opens in new tab)
  3. Checkmarx: PyTorch — A Leading ML Framework Was Poisoned with Malicious Dependency (analysis, 2023-01)
    https://zero.checkmarx.com/py-torch-a-leading-ml-framework-was-poisoned-with-malicious-dependency-e30f88242964 (opens in new tab)
  4. ReversingLabs: PyTorch Supply Chain Attack — Dependency Confusion Burns DevOps (analysis, 2023-01)
    https://www.reversinglabs.com/blog/pytorch-supply-chain-attack-dependency-confusion-burns-devops (opens in new tab)
  5. Wiz: Malicious PyTorch Dependency torchtriton on PyPI — Everything You Need to Know (analysis, 2023-01)
    https://www.wiz.io/blog/malicious-pytorch-dependency-torchtriton-on-pypi-everything-you-need-to-know (opens in new tab)

Update Log

  • — First logged (Status: Confirmed, Evidence: Primary)