A hacker has tricked some users of the PyTorch machine learning framework into downloading malware, BleepingComputer reported on Sunday.

PyTorch is a popular open-source tool for developing artificial intelligence models. Developers use the tool to create new neural networks, train them and perform related tasks. PyTorch was originally released by Meta Platforms Inc. in 2016 and is now managed by the Linux Foundation.

Last Friday, the developers of PyTorch identified a security breach. The breach didn’t affect the PyTorch code base, but rather a service called PyPI that hosts third-party extensions to the AI development tool. A hacker uploaded a malicious extension to PyPI that is believed to have been downloaded more than 2,300 times by users.

The malicious program had the same file name as a legitimate PyTorch extension, which led some users to download it accidentally. To prevent additional downloads, the developers of PyTorch have renamed the legitimate extension that the malicious program imitated.

“This malicious package was being installed instead of the version from our official repository,” the developers detailed in a Dec. 31 blog post. “This malicious package has the same name torchtriton but added in code that uploads sensitive data from the machine.”

According to BleepingComputer, the malware is designed to steal passwords and SSH keys from computers on which it’s installed. An SSH key is a series of characters similar to a password that developers use to log into their companies’ cloud environments. The malicious file can reportedly access other types of data as well, such as technical information about developers’ computers.

Some antivirus programs open newly downloaded files in an isolated virtual machine before allowing them to run on a user’s device. By opening files, an antivirus can more easily determine whether they may be malicious. The malicious extension spotted by PyTorch’s developers reportedly includes a mechanism that detects when it’s opened in a virtual machine and takes steps to avoid detection.

The scope of the security breach was limited because it affected PyTorch-nightly, a version of the AI tool that contains new features still in development and has a limited user base. Additionally, the malicious file wasn’t included by default in PyTorch downloads but had to be installed separately.

The developers of PyTorch have released a guide for removing the malicious PyTorch extension. The guide includes a series of command line instructions that software teams can run to detect the extension and delete it. 

Image: PyTorch