By Michael Walshe, Tamas Bosznay and Andy Smith
PyTorch, the popular open-source machine learning framework, was affected by a malware.
The malware was designed to extract system information like hostnames, usernames, Git settings and potentially passwords from an infected environment, This information would then be sent disguised as DNS name lookups.
This PyTorch vulnerability was able to be exploited on the nightly (pre-release) builds, as it uses a private repository to distribute some of the dependencies. The install instructions recommend using –extra-index-url to add these dependencies, but this is a known vulnerability as with this option pip will first check PyPI and only if packages do not exist there will it install the local ones.
Companies using PyTorch could make themselves less at risk by: