Python remains far and away the most popular programming language, up 27 percent over last year, a healthy rise considering its growing user base. At least some of that growth came at the expense of ...

But, when fetching dependencies in the Python ecosystem, PyPI normally takes precedence, causing the malicious package to get pulled on your machine instead of PyTorch's legitimate one.

How did the PyTorch compromise happen? According to the PyTorch team, a malicious torchtriton dependency package was uploaded to the PyPI code repository on Friday, Dec. 30, 2022, at around 4:40 p.m.