9
Nightly PyTorch builds compromised
source link: https://lwn.net/Articles/918884/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Nightly PyTorch builds compromised [LWN.net]
User:
Password: |
|
Nightly PyTorch builds compromised
[Posted January 2, 2023 by corbet]
Anybody who installed a nightly release from the PyTorch machine-learning library between
December 25 and 30 will
want to uninstall it immediately:
(Log in to post comments)
At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch nightly package index. Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default.This malicious package has the same name torchtriton but added in code that uploads sensitive data from the machine.
(Log in to post comments)
Copyright © 2023, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
</body
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK