Security researcher John Stawinski of Praetorian asserts that a recently disclosed category of CI/CD attacks might have enabled attackers to inject malicious code into the PyTorch repository, resulting in a catastrophic compromise of the supply chain.
The attack technique, which was first described in December 2023, targets GitHub repositories that have self-hosted runners attached and gives a threat actor the ability to run arbitrary code without authorization. An attacker can join a repository that has a self-hosted runner attached by submitting a fork pull request.
From there, they can use the runner to execute any GitHub workflow. Persistent access is possible because the runner is non-ephemeral if the default configuration steps were followed.
Read More: New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.