New Type of CI/CD Attacks Might Have Enabled PyTorch Supply Chain Compromise

New-Type-of-CI-CD-Attacks-Might-Have-Enabled-PyTorch-Supply-Chain-Compromise
New-Type-of-CI-CD-Attacks-Might-Have-Enabled-PyTorch-Supply-Chain-Compromise

Security researcher John Stawinski of Praetorian asserts that a recently disclosed category of CI/CD attacks might have enabled attackers to inject malicious code into the PyTorch repository, resulting in a catastrophic compromise of the supply chain.

The attack technique, which was first described in December 2023, targets GitHub repositories that have self-hosted runners attached and gives a threat actor the ability to run arbitrary code without authorization. An attacker can join a repository that has a self-hosted runner attached by submitting a fork pull request.

From there, they can use the runner to execute any GitHub workflow. Persistent access is possible because the runner is non-ephemeral if the default configuration steps were followed.

Read More: New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.