Security Tips for using Open Source tools (PyTorch Malware)

  • Open Source
  • Security

By Michael Walshe, Tamas Bosznay and Andy Smith

 

Security vulnerabilities make the life of data and IT professionals fun at times. Just like the log4shell vulnerability discovered in December 2021, impacting lots of technologies and professionals across the globe, this recent 2022 Festive Period came with a new one, PyTorch.

PyTorch, the popular open-source machine learning framework, was affected by a malware.

The malware was designed to extract system information like hostnames, usernames, Git settings and potentially passwords from an infected environment, This information would then be sent disguised as DNS name lookups.

 

How did this happen?

This PyTorch vulnerability was able to be exploited on the nightly (pre-release) builds, as it uses a private repository to distribute some of the dependencies. The install instructions recommend using –extra-index-url to add these dependencies, but this is a known vulnerability as with this option pip will first check PyPI and only if packages do not exist there will it install the local ones.

Tips for reducing your vulnerability

Companies using PyTorch could make themselves less at risk by:

  1. Not installing the latest or pre-release versions of packages – this attack likely targeted admins and developers who test new packages or use the latest features on non-production environments
  2. Using a private internal/vetted repositories of packages rather than PyPI – note that you need to be sure that only the internal repo is used, use –index-url and avoid –extra-index-url, and set these options in the global pip config. A number of companies offer vetted package repositories, or one could create a separate version (there are some community tools for finding and tracking vulnerable python packages, e.g. pip-audit and PyPA advisory-database)
  3. Managing dependencies using conda instead of pip – Conda has stricter requirements for adding packages and package security
Back to Insights

Talk to us about how we can help