Anybody who installed a nightly release from the PyTorch machine-learning library between
DecemberĀ 25 andĀ 30 will
want to uninstall it immediately:
At around 4:40pm GMT on December 30 (Friday), we learned about a
malicious dependency package (torchtriton) that was uploaded to the
Python Package Index (PyPI) code repository with the same package
name as the one we ship on the PyTorch nightly package index. Since
the PyPI index takes precedence, this malicious package was being
installed instead of the version from our official repository. This
design enables somebody to register a package by the same name as
one that exists in a third party index, and pip will install their
version by default.This malicious package has the same name torchtriton but added in
code that uploads sensitive data from the machine.
Source: LWN.net – Nightly PyTorch builds compromised