The proof of concept shows it's possible to upload malicious PyTorch releases to GitHub by exploiting insecure misconfigurations in GitHub Actions.

Researchers say compromised tool in the GitHub CI/CD environment stole credentials; infosec leaders need to act immediately.