LLM03:2025Supply Chain
Slide 9 of 29
Part 2 · TypesSlide 9
PART 2
Types
Slides 9–14 · 6 patterns, each a real incident
Slide 9 · Attack Type 1 of 6 — Dependency Confusion
Poison a package name, let the install tool do the rest.
Confirmed Incident · Dec 25–30, 2022 · PyTorch's Own Disclosure
torchtriton — Dependency Confusion Hits PyTorch Nightly
No CVE · Root cause: public-vs-private package name collision · ~2,717 malicious downloads

The setup: PyTorch's nightly build depended on a helper package, torchtriton, served from PyTorch's own private index. The name was not claimed on the public PyPI registry.

The attack: someone uploaded a malicious package also named torchtriton to public PyPI with a high version number. Because pip defaults to the public index and prefers higher versions, anyone installing the nightly build got the imposter instead of the real dependency.

The payload: on install it read system info, SSH keys, ~/.gitconfig, the first 1,000 files in $HOME, and /etc/passwd, then uploaded them to a remote server.

Takeaway: the attacker never breached PyTorch. They exploited how the installer chooses between two same-named packages. Trusting a name is not the same as trusting a source.
The Defense This Would Have Stopped

Pinning dependencies to a trusted index and verifying hashes (Part 4) — so a higher-versioned public imposter can never be silently substituted for a private package.

← BackNext → Poisoning the build itself
📄 View sources for this lesson