Summary: Supply chain attack targets PyTorch Machine Learning Framework

A supply chain attack has been discovered affecting the PyTorch Machine Learning Framework. The attack involved adding a malicious dependency to the framework, which was then distributed to users via the Python Package Index (PyPI) code repository. Users who have installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, are advised to uninstall it and use the latest binaries. The malicious binary performs the following actions: Get system information; Reads the following files: /etc/passwd /etc/hosts The first 1,000 files in $HOME/* $HOME/.gitconfig $HOME/.ssh/* Exfiltrate the collected data via encrypted DNS queries to the domain *.h4ck[. ]cfd, using the DNS server wheezy[. ]io

Related articles

PyTorch compromised to demonstrate dependency confusion attack on Python environments

Threat actors compromised the PyTorch Machine Learning Framework by adding a malicious dependency. ………….

Read the complete article at: securityaffairs.com

PyTorch discloses malicious dependency chain compromise over holidays

PyTorch has identified a malicious dependency with the same name as the framework’s ‘torchtriton’ library. This has led to a successful compromise via the dependency confusion attack vector.

Read the complete article at: www.bleepingcomputer.com