MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
pytorch
Search

Stawinski: How We Executed a Critical Supply Chain Attack on PyTorch

Monday January 15, 2024. 04:16 PM , from LWN.net
John Stawinski IV describes,
in detail, how he and a partner were able to compromise the security of the
heavily used PyTorch project.

Our exploit path resulted in the ability to upload malicious
PyTorch releases to GitHub, upload releases to AWS, potentially add
code to the main repository branch, backdoor PyTorch dependencies –
the list goes on. In short, it was bad. Quite bad.

As we’ve seen before with SolarWinds, Ledger, and others, supply
chain attacks like this are killer from an attacker’s
perspective. With this level of access, any respectable
nation-state would have several paths to a PyTorch supply chain
compromise.
Read more at LWN.net
https://lwn.net/Articles/958318/

Related News

pytorch Murderer executed with nitrogen BoingBoingJan 26
chain Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug TheRegisterJan 24
supply Legacy tech shoots down Ministry of Defence's supply chain improvements TheRegisterJan 23
stawinski The Post Office systems scandal demands a critical response TheRegisterJan 22
how Patch now: Critical VMware, Atlassian flaws found TheRegisterJan 16
compromise Thousands of Juniper Networks devices vulnerable to critical RCE bug TheRegisterJan 15
upload Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers TheRegisterJan 15
bad Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered SlashdotJan 14
executed Ukrainian Hacker Group Takes Down Moscow ISP As a Revenge For Kyivstar Cyber Attack SlashdotJan 13
attack Linux Devices Are Under Attack By a Never-Before-Seen Worm SlashdotJan 10
critical America's first private lunar lander suffers 'critical' fuel leak en route to Moon TheRegisterJan 8
pytorch America's first private lunar lander suffers 'critical' fuel leak en route to Moon TheRegisterJan 8
chain LA Times bans 38 of its journalists from reporting on Gaza after they sign open letter critical of coverage BoingBoingJan 6
supply Ivanti Warns of Critical Vulnerability In Its Popular Line of Endpoint Protection Software SlashdotJan 6
stawinski Organizations don't know how to address software supply chain security BetaNewsJan 5
how Critical Infrastructure Is Sinking Along the US East Coast Wired: Tech.Jan 5
compromise Sandworm's Kyivstar attack should serve as a reminder of the Kremlin crew's 'global reach' TheRegisterJan 5
upload SpaceX accused of firing employees critical of free speech fan Elon Musk TheRegisterJan 4
bad EU Competition Chief Defends AI Act After Macron's Attack SlashdotDec 29
executed External attack surface management [Q&A] BetaNewsDec 22
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Current Date
Apr, Sun 28 - 05:47 CEST