TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks
January 18, 2024 at 08:03AM Misconfigurations in TensorFlow’s CI/CD system enabled potential supply chain attacks. GitHub-hosted runners are not vulnerable, but self-hosted runners executed without approval, permitting unauthorized code execution. Ephemeral runner security measures were bypassed, allowing for breaches of GitHub repository and PyPI registry integrity. Project maintainers addressed the issues post-disclosure, mitigating the risks. … Read more