Navigation
Recherche
|
Stawinski: How We Executed a Critical Supply Chain Attack on PyTorch
lundi 15 janvier 2024, 16:16 , par LWN.net
John Stawinski IV describes,
in detail, how he and a partner were able to compromise the security of the heavily used PyTorch project. Our exploit path resulted in the ability to upload malicious PyTorch releases to GitHub, upload releases to AWS, potentially add code to the main repository branch, backdoor PyTorch dependencies – the list goes on. In short, it was bad. Quite bad. As we’ve seen before with SolarWinds, Ledger, and others, supply chain attacks like this are killer from an attacker’s perspective. With this level of access, any respectable nation-state would have several paths to a PyTorch supply chain compromise.
https://lwn.net/Articles/958318/
Voir aussi |
56 sources (32 en français)
Date Actuelle
ven. 10 mai - 14:32 CEST
|