Comments for John Stawinski IV

Comment on Fixing Typos and Breaching Microsoft’s Perimeter by Black Hat and DEF CON Preview: “Grand Theft Actions” or “Continuous Integration, Continuous Destruction”? – John Stawinski IV

Tue, 30 Jul 2024 16:35:03 +0000

[…] Fixing Typos and Breaching Microsoft’s Perimeter […]

Comment on Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by Black Hat and DEF CON Preview: “Grand Theft Actions” or “Continuous Integration, Continuous Destruction”? – John Stawinski IV

Tue, 30 Jul 2024 16:34:55 +0000

[…] from our PyTorch compromise blog post with another conference submission teaser. If you want to do some background reading, there’s a […]

LikeLike

Comment on Worse than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions by Black Hat and DEF CON Preview: “Grand Theft Actions” or “Continuous Integration, Continuous Destruction”? – John Stawinski IV

Tue, 30 Jul 2024 16:34:51 +0000

[…] written about several of our attack paths, but have saved many of the details hoping that we’d get accepted to a large conference like […]

LikeLike

Comment on Scoring 100 Points on the New OSCP Exam: My Exam Experience by Black Hat and DEF CON Preview: “Grand Theft Actions” or “Continuous Integration, Continuous Destruction”? – John Stawinski IV

Tue, 30 Jul 2024 16:34:48 +0000

[…] seems like yesterday I was sitting in the corner of my family’s gym in Essex, Vermont, trying to pass my OSCP exam so I could get my first […]

LikeLike

Comment on Fixing Typos and Breaching Microsoft’s Perimeter by Worse than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions – John Stawinski IV

Sun, 21 Jul 2024 04:56:00 +0000

[…] Gaining remote code execution on a domain-joined Microsoft machine by exploiting Microsoft Deepspeed (update – walkthrough now available in Fixing Typos and Breaching Microsoft’s Perimeter ) […]

LikeLike

Comment on Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by Fixing Typos and Breaching Microsoft’s Perimeter – John Stawinski IV

Fixing Typos and Breaching Microsoft’s Perimeter – John Stawinski IV — Mon, 15 Apr 2024 16:28:26 +0000

[…] of our other attacks, like our attack on PyTorch, required implantation, reconnaissance, crazy token pivots, and secret stealing to prove impact. […]

LikeLike

Comment on Worse than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions by Fixing Typos and Breaching Microsoft’s Perimeter – John Stawinski IV

Fixing Typos and Breaching Microsoft’s Perimeter – John Stawinski IV — Mon, 15 Apr 2024 16:28:23 +0000

[…] you’ve been following the research we’ve released so far, you probably suspect that the Microsoft DeepSpeed repository uses self-hosted runners. You’re […]

LikeLike

Comment on Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks

TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks — Thu, 18 Jan 2024 13:42:00 +0000

[…] public GitHub repositories, including those associated with Chia Networks, Microsoft DeepSpeed, and PyTorch, are susceptible to malicious code injection via self-hosted GitHub Actions […]

LikeLike

Comment on Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by A "Critical Supply Chain Attack" on the PyTorch Infrastructure Raises Concerns — and a Bug Bounty - The Star News Today

Thu, 18 Jan 2024 01:14:07 +0000

[…] Stawinski’s full write-up is available on his website. […]

LikeLike

Comment on Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch by New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise – Cyber Social Hub

Fri, 12 Jan 2024 13:02:19 +0000

[…] machine learning (ML) framework PyTorch, Stawinski explains, was one of their first targets, given its popularity. The child of Meta AI and now part of the […]

LikeLike