The attack campaign discovered by ReversingLabs involved three packages: aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk. Together the three packages were downloaded 1,600 times, which is significant considering they were online for less than a day before they were discovered and taken down.
Developers’ computers are valuable targets because they typically contain a variety of credentials, API tokens, and other access keys to various cloud and local infrastructure services. Compromising such a computer can easily lead to lateral movement to other parts of the environment.
The malicious SDKs uploaded to PyPI loaded the malicious PyTorch models through the __init__.py script. The models then executed base64-obfuscated code designed to steal information about the logged-in user, the network address of the infected machine, the name of the organization that the machine belonged to, and the contents of the .gitconfig file.
