Introduction
A significant supply chain attack has compromised the Ultralytics AI library [5], affecting its widely used versions and posing a substantial risk to its users. This incident highlights vulnerabilities in software repositories and underscores the importance of robust security measures.
Description
A significant supply chain attack has compromised the widely used Ultralytics AI library, specifically targeting versions 8.3.41 and 8.3.42 [5], which are integral to various AI packages, including the ComfyUI Impact Pack and SwarmUI. On December 4 [2] [8] [9], a malicious version 8.3.41 was published on the Python Package Index (PyPI) by an unidentified threat actor, leading to the automatic installation of XMRig cryptomining software without users’ consent. This version connected to a mining pool at “connect.consrensys.com:8080” to mine Monero (XMR). Attackers exploited a known GitHub Actions script injection vulnerability [2] [8] [9], utilizing a sophisticated technique that involved embedding payloads in branch titles of crafted pull requests, thereby bypassing code reviews and enabling arbitrary code execution. Users reported that version 8.3.42 also contained the same malicious code, further deploying the XMRig cryptominer [4]. This attack was discovered by a developer who compared the PyPI package with the GitHub repository [1], leading to warnings in a GitHub thread [1]. Analysis revealed that the attackers modified two critical files: downloads.py and model.py [7]. The injected code in model.py assesses system configurations to download a payload tailored for the specific platform and CPU architecture [7], while downloads.py contains the code responsible for the payload download [7].
In response to the attack, Ultralytics removed the compromised versions and released an updated version, 8.3.43 [4] [5], later that day [8]. However, subsequent attacks continued with versions 8.3.45 and 8.3.46 [4], indicating ongoing security challenges and prompting Ultralytics to conduct a full security audit and implement additional safeguards to prevent future incidents. Despite the release of version 8.3.42 [1], which was intended as a mitigation, it too contained the same malicious code [2] [8], increasing the risk for users who updated under the assumption of improved security [3]. Versions 8.3.40 and earlier are confirmed to be safe [1]. Although no public advisory regarding the attack has been issued [1], Ultralytics has since paused automatic deployments and is investigating the incident [1], which appears to involve malicious code injection in the deployment workflow [1]. The malicious activity was traced to a GitHub user based in Hong Kong [1], indicating a possible account takeover [2], whose account was subsequently blocked [1].
With nearly 60 million downloads and a large user base—Ultralytics boasts over 30,000 stars on GitHub—the compromised library posed a significant risk, although the damage was limited to mining activities [6]. Researchers noted that the same exploitation vector could have been used to distribute more harmful malware [2] [8], such as backdoors or remote access Trojans (RATs) [2] [8] [9]. Further investigation is required to assess the effectiveness of the attackers’ cryptomining efforts and any potential user data exfiltration [4]. Users who installed the compromised versions are strongly advised to uninstall the package immediately and restore their systems to a previously known clean state while monitoring for any signs of crypto-mining activity. Developers and users are urged to verify software updates and sources to prevent similar incidents [6], as discrepancies between the GitHub repository and the corresponding PyPI package were evident during the attack. This incident is part of a broader trend of supply chain compromises affecting various software repositories [1], particularly in the realm of AI tools, underscoring the need for robust security practices and vigilance in monitoring software dependencies [5].
Conclusion
The Ultralytics AI library attack serves as a stark reminder of the vulnerabilities inherent in software supply chains. While the immediate threat was limited to cryptomining, the potential for more severe exploitation exists. This incident emphasizes the necessity for comprehensive security audits, vigilant monitoring of software dependencies [5], and prompt response strategies to mitigate risks. As the software industry continues to face similar threats, adopting robust security practices and fostering awareness among developers and users will be crucial in safeguarding against future compromises.
References
[1] https://www.techtarget.com/searchSecurity/news/366616877/Ultralytics-YOLO-AI-model-compromised-in-supply-chain-attack
[2] https://summamoney.com/investing/the-daily/compromised-ai-library-delivers-cryptocurrency-miner-via-pypi/
[3] https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining
[4] https://www.scworld.com/brief/supply-chain-attack-compromises-ultralytics-ai-model
[5] https://thesecmaster.com/blog/ultralytics-yolo-ai-model-compromised-by-cryptomining-supply-chain-attack
[6] https://www.techepages.com/ultralytics-ai-library-with-60m-downloads-compromised-for-cryptomining/
[7] https://www.csoonline.com/article/3619159/supply-chain-compromise-of-ultralytics-ai-library-results-in-trojanized-versions.html
[8] https://www.infosecurity-magazine.com/news/ai-library-delivers-cryptocurrency/
[9] https://securityboulevard.com/2024/12/compromised-ultralytics-pypi-package-delivers-crypto-coinminer/
