The developer behind the open source machine learning framework PyTorch learned of a malicious dependency mimicking one of its own. According to PyTorch, the malicious dependency was available on a leading code repository over the Christmas period and had the same name as a legitimate dependency. However, the malicious version featured code that uploaded sensitive data from a victim’s machine.
PyTorch learned of the malicious package on December 30, it reported. The open source machine learning framework released a blog post discussing the incident. In the post, the organization urged anyone who installed PyTorch nightly on Linux via pip over the holiday season to uninstall it immediately. Roughly 2300 developers had downloaded the malicious package in that week, meaning that their projects could be at risk.
Read More: Malicious PyTorch Package Downloaded Thousands of Times