The attackers registered the package name torchtriton on the official PyPI registry with a high version number. The attack targeted users who installed PyTorch-nightly via Linux pip between Decemand December 30, 2022, and worked using a namespace or dependency confusion tactic. In December 2022, PyTorch disclosed a malicious dependency posing as a legitimate library in their popular machine learning framework. We provide you with the information and insights you need to stay one step ahead of the bad actors and keep your projects safe. We keep you informed about the latest security vulnerabilities and threats in order to keep your build environments protected. Since 2019, Sonatype’s security research team have discovered a total of 108,973 packages flagged as malicious, suspicious, or proof-of-concept. In an effort to surface more awareness of this issue on PyPI, below we cover the top 8 malicious attacks that recently caught the eyes of our security researchers. We’ve previously selected the top 8 malicious packages found on the npm registry. However, as with any software repository, including GitHub, npm, and RubyGems, PyPI is not immune to attacks from bad actors. It is a widely used third-party resource for Python developers to find and install useful libraries and tools for their projects. Python Package Index ( PyPI) is the official repository of Python software packages.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |