If you downloaded PyTorch-nightly on Linux via pip between Dec. 25, 2022, and Dec. 30, 2022, you’ve got trouble. Someone, we still don’t know who, uploaded a https://pytorch.org/blog/compromised-nightly-dependency/ that hid under the real dependency name, torchtriton.
The good news is that this supply chain attack only hit the nightly builds.
You might wonder how this could happen since the malicious code wasn’t copied over the good version. The PyTorch Team explained, “Since the https://github.com/pypa/pip/issues/8606, this malicious package was being installed instead of the version from our official repository.