"Researchers Demo New CI/CD Attack Techniques in PyTorch Supply-Chain"

Security researchers used new techniques to infiltrate PyTorch's development infrastructure. They exploited insecure configurations in GitHub Actions workflows. Their proof-of-concept (POC) attack was disclosed to PyTorch's lead developer Meta AI. However, other software development organizations using GitHub Actions are likely to have made similar deployment mistakes, potentially exposing themselves to software supply chain attacks. According to security researcher John Stawinski, their exploit path allowed them to upload malicious PyTorch releases to GitHub, potentially add code to the main repository branch, backdoor PyTorch dependencies, and more. This article continues to discuss the Continuous Integration and Continuous Delivery (CI/CD) attack methods demonstrated by the researchers. 

CSO Online reports "Researchers Demo New CI/CD Attack Techniques in PyTorch Supply-Chain"

Submitted by grigby1