Stawinski: How We Executed a Critical Supply Chain Attack on PyTorch

by
corbet
from LWN.net on (#6HW2B)
John Stawinski IV describes,in detail, how he and a partner were able to compromise the security of theheavily used PyTorch project.

Our exploit path resulted in the ability to upload maliciousPyTorch releases to GitHub, upload releases to AWS, potentially addcode to the main repository branch, backdoor PyTorch dependencies -the list goes on. In short, it was bad. Quite bad.

As we've seen before with SolarWinds, Ledger, and others, supplychain attacks like this are killer from an attacker'sperspective. With this level of access, any respectablenation-state would have several paths to a PyTorch supply chaincompromise.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments