Cyberattackers Torch Python Machine Learning Project
The popular PyTorch Python project for data scientists and machine learning developers has become the latest open source project to be targeted with a dependency confusion attack.
Machine learning supports malware detection and threat analysis, but attackers can also exploit biased data, model weaknesses, or poisoned training.
Search across headline titles and summaries.
Background for this topic.
Machine learning is a way to build software that learns patterns from data and uses them to classify, predict, or make decisions, rather than relying solely on hand-written rules. Models may support malware and phishing detection, user- or entity-behavior analysis, vulnerability prioritization, and automated security triage. Their outputs are probabilistic, so unusual activity can be missed or incorrectly flagged; changing normal behavior can also cause model drift and reduce accuracy.
Security teams must protect both the model and its training data. An attacker may manipulate training examples (data poisoning), craft inputs designed to evade detection (adversarial examples), or extract sensitive information from a model or its data. Controls include trusted data provenance, access restrictions, testing against realistic evasive inputs, monitoring for drift, and human review of high-impact decisions. Where models process personal, proprietary, or security telemetry, collection, retention, and reuse require appropriate privacy and governance controls.
The popular PyTorch Python project for data scientists and machine learning developers has become the latest open source project to be targeted with a dependency confusion attack.
The maintainers of the PyTorch package have warned users who have installed the nightly builds of the library between December 25, 2022, and December 30, 2022, to uninstall and download the latest versions following a dependency confusion attack
The bad news: the crooks have your SSH private keys. The good news: only users of the "nightly" build were affected.