MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
pytorch
Recherche

Stawinski: How We Executed a Critical Supply Chain Attack on PyTorch

lundi 15 janvier 2024, 16:16 , par LWN.net
John Stawinski IV describes,
in detail, how he and a partner were able to compromise the security of the
heavily used PyTorch project.

Our exploit path resulted in the ability to upload malicious
PyTorch releases to GitHub, upload releases to AWS, potentially add
code to the main repository branch, backdoor PyTorch dependencies –
the list goes on. In short, it was bad. Quite bad.

As we’ve seen before with SolarWinds, Ledger, and others, supply
chain attacks like this are killer from an attacker’s
perspective. With this level of access, any respectable
nation-state would have several paths to a PyTorch supply chain
compromise.
Lire la suite sur LWN.net
https://lwn.net/Articles/958318/

Voir aussi

pytorch Murderer executed with nitrogen BoingBoing26 Jan
chain Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug TheRegister24 Jan
supply Legacy tech shoots down Ministry of Defence's supply chain improvements TheRegister23 Jan
stawinski The Post Office systems scandal demands a critical response TheRegister22 Jan
how Patch now: Critical VMware, Atlassian flaws found TheRegister16 Jan
compromise Thousands of Juniper Networks devices vulnerable to critical RCE bug TheRegister15 Jan
upload Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers TheRegister15 Jan
bad Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered Slashdot14 Jan
executed Ukrainian Hacker Group Takes Down Moscow ISP As a Revenge For Kyivstar Cyber Attack Slashdot13 Jan
attack Linux Devices Are Under Attack By a Never-Before-Seen Worm Slashdot10 Jan
critical America's first private lunar lander suffers 'critical' fuel leak en route to Moon TheRegister 8 Jan
pytorch America's first private lunar lander suffers 'critical' fuel leak en route to Moon TheRegister 8 Jan
chain Des vétérans de Phoenix Labs (Dauntless) créent le studio Critical Path Games GameKult 8 Jan
supply LA Times bans 38 of its journalists from reporting on Gaza after they sign open letter critical of coverage BoingBoing 6 Jan
stawinski Ivanti Warns of Critical Vulnerability In Its Popular Line of Endpoint Protection Software Slashdot 6 Jan
how Organizations don't know how to address software supply chain security BetaNews 5 Jan
compromise Critical Infrastructure Is Sinking Along the US East Coast Wired: Tech. 5 Jan
upload Sandworm's Kyivstar attack should serve as a reminder of the Kremlin crew's 'global reach' TheRegister 5 Jan
bad SpaceX accused of firing employees critical of free speech fan Elon Musk TheRegister 4 Jan
executed EU Competition Chief Defends AI Act After Macron's Attack Slashdot29 Dec
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Date Actuelle
ven. 10 mai - 14:32 CEST