Navigation
Search
|
Stawinski: How We Executed a Critical Supply Chain Attack on PyTorch
Monday January 15, 2024. 04:16 PM , from LWN.net
John Stawinski IV describes,
in detail, how he and a partner were able to compromise the security of the heavily used PyTorch project. Our exploit path resulted in the ability to upload malicious PyTorch releases to GitHub, upload releases to AWS, potentially add code to the main repository branch, backdoor PyTorch dependencies – the list goes on. In short, it was bad. Quite bad. As we’ve seen before with SolarWinds, Ledger, and others, supply chain attacks like this are killer from an attacker’s perspective. With this level of access, any respectable nation-state would have several paths to a PyTorch supply chain compromise.
https://lwn.net/Articles/958318/
Related News |
25 sources
Current Date
Apr, Sun 28 - 05:47 CEST
|