• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
pytorch machine learning framework compromised with malicious dependency

PyTorch Machine Learning Framework Compromised with Malicious Dependency

You are here: Home / General Cyber Security News / PyTorch Machine Learning Framework Compromised with Malicious Dependency
January 2, 2023

The maintainers of the PyTorch deal have warned people who have installed the nightly builds of the library involving December 25, 2022, and December 30, 2022, to uninstall and down load the latest versions adhering to a dependency confusion attack.

“PyTorch-nightly Linux packages mounted by means of pip throughout that time put in a dependency, torchtriton, which was compromised on the Python Package Index (PyPI) code repository and ran a malicious binary,” the PyTorch workforce explained in an inform over the weekend.

PyTorch, analogous to Keras and TensorFlow, is an open resource Python-centered machine mastering framework that was originally produced by Meta Platforms.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The PyTorch staff mentioned that it grew to become aware of the malicious dependency on December 30, 4:40 p.m. GMT. The source chain attack entailed uploading a destructive edition of a authentic dependency named torchtriton to the Python Bundle Index (PyPI) code repository.

Considering the fact that package administrators like pip verify community code registries these types of as PyPI for a deal right before private registries, it authorized the fraudulent module to be put in on users’ units as opposed to the real version pulled from the third-party index.

The rogue edition, for its part, is engineered to exfiltrate program facts, including setting variables, the recent functioning listing, and host name, in addition to accessing the adhering to files –

  • /and so forth/hosts
  • /etc/passwd
  • The first 1,000 files in $Residence/*
  • $Household/.gitconfig
  • $Household/.ssh/*

In a statement shared with Bleeping Laptop, the operator of the domain to which the stolen details was transmitted claimed it was section of an ethical research physical exercise and that all the data has considering that been deleted.

As mitigations, torchtriton has been taken out as a dependency and changed with pytorch-triton. A dummy bundle has also been registered on PyPI as a placeholder to stop even further abuse.

“This is not the authentic torchtriton package but uploaded listed here to learn dependency confusion vulnerabilities,” reads a information on the PyPI web page for torchtriton. “You can get the serious torchtriton from https://obtain.pytorch[.]org/whl/nightly/torchtriton/.”

The progress also comes as JFrog disclosed information of one more offer regarded as cookiezlog that has been observed utilizing anti-debugging techniques to resist investigation, marking the 1st time this kind of mechanisms have been integrated in PyPI malware.

Observed this posting appealing? Observe us on Twitter  and LinkedIn to read far more distinctive material we submit.


Some elements of this article are sourced from:
thehackernews.com

Previous Post: «wordpress security alert: new linux malware exploiting over two dozen WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws
Next Post: RedZei Chinese Scammers Targeting Chinese Students in the U.K. redzei chinese scammers targeting chinese students in the u.k.»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.