Popular AI Library Ultralytics YOLO11 Compromised in Supply Chain Attack

Popular Python AI library hacked to deliver malware

The attack has since been addressed, but users warned to be on their guard Ultralytics YOLO11, an AI model for computer vision and object detection, was compromised in an apparent supply chain attack, and used to deploy malware on victim devices. The attack was confirmed by the company's founder, who also said the incident was remedied, and the malicious version pulled - however, it seems that new malicious versions have popped up again. YOLO11 (short for You Only Look Once), is an AI model designed for real-time computer vision tasks, such as identifying objects, analyzing images, and detecting poses. The service is quite popular, being starred more than 30,000 times, forked on GitHub more than 6,000 times, and counts hundreds of thousands of downloads a day. As an open source solution, YOLO11 was also available for download on PyPI, one of the world's biggest Python package repositories. There, an unidentified threat actor recently broke into the account and uploaded two versions - 8.3.41, and 8.3.42. Those who updated to these versions, either directly or through a dependency, ended up with a cryptocurrency miner on their devices. The miner installed is called XMRig, and it is by far the most popular cryptojacker (a "hijacker" malware that mines crypto) out there. XMRig is known for generating Monero (XMR), a privacy-oriented currency that is difficult to trace. Ultralytics founder and CEO Glenn Jocher confirmed the attack, and said it was addressed: "We confirm that Ultralytics versions 8.3.41 and 8.3.42 were compromised by a malicious code injection targeting cryptocurrency mining. Both versions have been immediately removed from PyPI," Jocher posted to GitHub. "We have released 8.3.43 which addresses this security issue. Our team is conducting a full security audit and implementing additional safeguards to prevent similar incidents." However, over the weekend BleepingComputer said there were user reports of even newer versions - 8.3.45, and 8.3.46, who were "trojanized". At press time, GitHub shows 8.3.48 as the newest version.

Ultralytics AI model hijacked to infect thousands with cryptominer

The popular Ultralytics YOLO11 AI model was compromised in a supply chain attack to deploy cryptominers on devices running versions 8.3.41 and 8.3.42 from the Python Package Index (PyPI) Ultralytics is a software development company specializing in computer vision and artificial intelligence (AI), specifically in object detection and image processing. It's best known for its "YOLO" (You Only Look Once) advanced object detection model, which can quickly and accurately detect and identify objects in video streams in real time. Ultralytics tools are open-source and are used by numerous projects spanning a wide range of industries and applications. The library has been starred 33,600 times and forked 6,500 times on GitHub, and it has had over 260,000 over the past 24 hours from PyPI alone. Yesterday, Ultralytics 8.3.41 and 8.3.42 were released to PyPi, and users who installed the compromised versions directly or as a dependency discovered that a cryptominer was deployed. For Google Colab accounts, owners got flagged and banned due to "abusive activity." Ultralytics is a dependency of both SwarmUI and ComfyUI, who both confirmed that fresh installs of their libraries would have led to the installation of the miner. When installed, the compromised library installs and launches an XMRig Miner at '' to connect to a minin pool at "connect.consrensys[.]com:8080". Ultralytics founder and CEO Glenn Jocher confirmed that the issue only impacts those two compromised versions, which have already been pulled and replaced with a clean 8.3.43 version. "We confirm that Ultralytics versions 8.3.41 and 8.3.42 were compromised by a malicious code injection targeting cryptocurrency mining. Both versions have been immediately removed from PyPI," Jocher posted to GitHub. "We have released 8.3.43 which addresses this security issue. Our team is conducting a full security audit and implementing additional safeguards to prevent similar incidents." The developers are currently investigating the root cause, and potential vulnerabilities in the Ultralytics build environment to determine how it was breached. However, Jocher commented that the compromise appears to originate from two malicious PRs [1, 2]with code injection in the branch names submitted by a user in Hong Kong. Whether the malicious code solely performed crypto mining or compromised private user data remains unclear, and the community is still awaiting a formal advisory regarding the breach that will provide clarifications on all details. Out of an abundance of caution, those who downloaded a malicious version of Ultralytics should perform a full system scan. BleepingComputer has contacted Ultralytics to comment on the situation and learn more about how the supply chain compromise was achieved, but we are still awaiting a response.

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence (AI) library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index (PyPI) repository. A subsequently released version has introduced a security fix that "ensures secure publication workflow for the Ultralytics package." The project maintainer, Glenn Jocher, confirmed on GitHub that the two versions were infected by malicious code injection in the PyPI deployment workflow after reports emerged that installing the library led to a drastic spike in CPU usage, a telltale sign of cryptocurrency mining. The most notable aspect of the attack is that bad actors managed to compromise the build environment related to the project to insert unauthorized modifications after the completion of the code review step, thus leading to a discrepancy in the source code published to PyPI and the GitHub repository itself. "In this case intrusion into the build environment was achieved by a more sophisticated vector, by exploiting a known GitHub Actions Script Injection," ReversingLabs' Karlo Zanki said, adding the issue in "ultralytics/actions" was flagged by security researcher Adnan Khan, according to an advisory released in August 2024. This could allow a threat actor to craft a malicious pull request and to enable the retrieval and execution of a payload on macOS and Linux systems. In this instance, the pull requests originated from a GitHub account named openimbot, which claims to be associated with the OpenIM SDK. ComfyUI, which has Ultralytics as one of its dependencies, said it has updated ComfyUI manager to warn users if they are running one of the malicious versions. Users of the library are advised to update to the latest version. "It seems that the malicious payload served was simply an XMRig miner, and that the malicious functionality was aimed at cryptocurrency mining," Zanki said. "But it is not hard to imagine what the potential impact and the damage could be if threat actors decided to plant more aggressive malware like backdoors or remote access trojans (RATs)."