Nightly PyTorch builds compromised

Anybody who installed a nightly release from the PyTorch machine-learning library betweenDecember 25 and 30 willwant to uninstall it immediately:

At around 4:40pm GMT on December 30 (Friday), we learned about amalicious dependency package (torchtriton) that was uploaded to thePython Package Index (PyPI) code repository with the same packagename as the one we ship on the PyTorch nightly package index. Sincethe PyPI index takes precedence, this malicious package was beinginstalled instead of the version from our official repository. Thisdesign enables somebody to register a package by the same name asone that exists in a third party index, and pip will install theirversion by default.

This malicious package has the same name torchtriton but added incode that uploads sensitive data from the machine.