https://pytorch.org/blog/compromised-nightly-dependency/
If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022).
$ pip3 uninstall -y torch torchvision torchaudio torchtriton
$ pip3 cache purgePyTorch-nightly Linux packages installed via pip during that time installed a dependency, torchtriton, which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary. This is what is known as a supply chain attack and directly affects dependencies for packages that are hosted on public package indices.
NOTE: Users of the PyTorch stable packages are not affected by this issue.
HOW TO CHECK IF YOUR PYTHON ENVIRONMENT IS AFFECTED
The following command searches for the malicious binary in the torchtriton package (PYTHON_SITE_PACKAGES/triton/runtime/triton) and prints out whether your current Python environment is affected or not.
python3 -c “import pathlib;import importlib.util;s=importlib.util.find_spec(‘triton’); affected=any(x.name == ‘triton’ for x in (pathlib.Path(s.submodule_search_locations[0] if s is not None else ‘/’ ) / ‘runtime’).glob(‘*’));print(‘You are {}affected’.format(” if affected else ‘not ‘))”
The malicious binary is executed when the triton package is imported, which requires explicit code to do and is not PyTorch’s default behavior…
