PyTorch's nightly build relied on a helper package named torchtriton, hosted on PyTorch's own private index. The attacker uploaded a different package with the exact same name, torchtriton, to the public PyPI registry — the default place pip looks.
By default, pip prefers the public registry and the higher version number. The attacker just picked a big version number. No password was guessed, no server was breached — the install tool was tricked into choosing the wrong package. This trick has a name: dependency confusion (you'll meet it again on slide 9).
You can write perfectly secure code and still get owned — because you didn't write most of what runs on your machine. Modern AI projects pull in hundreds of packages, models, and datasets from strangers. Each one is a door.