Testing latest malware dependency confusion attack against PyTorch, torchtriton #791
gustavo-iniguez-goya
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
pytorch.org:
"At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch nightly package index. Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default.
This malicious package has the same name torchtriton but added in code that uploads sensitive data from the machine."
pytorch-torchtriton-25122022.webm
h4ck.cfd domain is not active anymore, so that's why the malware only performs DNS requests.
Beta Was this translation helpful? Give feedback.
All reactions