The payload read various files, including SSH keys and up to 1000 files in the $HOME directory, and exfiltrated information back to a command-and-control (C2) server. During dependency resolution with Python, PyPI registries generally take precedence over private or alternative registries, so the bad actors used that to their advantage. The attackers registered the package name torchtriton on the official PyPI registry with a high version number. The attack targeted users who installed PyTorch-nightly via Linux pip between Decemand December 30, 2022, and worked using a namespace or dependency confusion tactic. In December 2022, PyTorch disclosed a malicious dependency posing as a legitimate library in their popular machine learning framework. We provide you with the information and insights you need to stay one step ahead of the bad actors and keep your projects safe. We keep you informed about the latest security vulnerabilities and threats in order to keep your build environments protected.
Since 2019, Sonatype’s security research team have discovered a total of 108,973 packages flagged as malicious, suspicious, or proof-of-concept. In an effort to surface more awareness of this issue on PyPI, below we cover the top 8 malicious attacks that recently caught the eyes of our security researchers. We’ve previously selected the top 8 malicious packages found on the npm registry. However, as with any software repository, including GitHub, npm, and RubyGems, PyPI is not immune to attacks from bad actors. It is a widely used third-party resource for Python developers to find and install useful libraries and tools for their projects.
Python Package Index ( PyPI) is the official repository of Python software packages.
0 kommentar(er)
