The popular python package, PyTorch, has been hit by a dependency confusion attack. Admins for the machine learning framework identified the attacks and determined that the window of attack is between December 25th to 30th 2022. Their recommendation for users who installed PyTorch during that time, is to immediately do a complete uninstall, including removal of the affected torchtriton dependency. They can then reinstall using the latest nightly binaries, or binaries newer than Dec 30th 2022. The malicious binary is observed to be stealing sensitive data, including SSH keys, gitconfig and the first 1,000 files in the victim’s HOME directory. Interestingly, a note on the exfiltration server states that the operation is part of ethical research. However don’t be fooled, as this isn’t the first time hackers have made such claims. Check out the full article written by Ax Sharma from Bleeping computer.
This segment was created for the It’s 5:05 podcast