On 25 December 2022, an attacker uploaded a malicious package named ’torchtriton’ to the public PyPI index. PyTorch nightly builds depended on a package with the same name (’torchtriton’) from PyTorch’s own private package repository at download.pytorch.org. Because pip searches the public PyPI index before private sources by default, the malicious public package took precedence over the legitimate private one — a classic dependency confusion attack. Any developer who installed PyTorch-nightly between 25-30 December 2022 received the malicious torchtriton package. The malicious package contained code that collected: the system’s environment variables, /etc/hosts file contents, current working directory, hostname, the running user’s username, home directory, and the SSH private keys from ~/.ssh. It also collected information about all .gitconfig files. The stolen data was exfiltrated to the domain H4CK[.]cfd via DNS queries (using the whois.das.ws DNS-over-HTTPS service). PyTorch detected the issue on 30 December and disclosed it on 31 December. PyTorch removed the malicious package, released a fix, and advised all users who installed nightly builds during the window to consider their systems compromised, rotate credentials, and check for exfiltrated SSH keys. The attacker had uploaded the malicious package under the username ‘pytorchtriton’. The incident highlighted how private PyPI indices combined with pip’s default resolution order create a class of supply chain vulnerability affecting machine learning and data science workflows specifically.