PyTorch Suffers Supply Chain Attack via Dependency Confusion
1 min read
Jan 05, 2023
Users who deployed the nightly builds of PyTorch between Christmas and New Year's Eve likely received a rogue package as part of the installation that siphoned off sensitive data from their systems. The incident was the result of an attack called dependency confusion that continues to impact package managers and development environments if hardening steps are not taken.
"If you installed PyTorch nightly on Linux via pip between December 25, 2022, and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than December 30, 2022)," the PyTorch maintainers said in a security advisory.
PyTorch is a framework for developing machine learning applications in the fields of computer vision and natural language processing that is a continuation of the older and no longer maintained Torch library. PyTorch was originally developed by Meta AI, the artificial intelligence laboratory of Meta, Inc., but is now an open-source project maintained by the PyTorch Foundation under the Linux Foundation's umbrella.
Related Articles
1 - 0 min read
What Is eBPF? The Ultimate Guide
1 - 0 min read
Ubuntu Tool Could Trick Users Into Installing Rogue Packages
1 - 0 min read
Multiple Chromium DoS, Info Disclosure Vulns Fixed [Updated]
1 - 0 min read
Debian and Ubuntu Fix More OpenSSH Vulnerabilities
