In a recent breach, attackers targeted Ultralytics YOLO packages on PyPI, the official Python package index, compromising a popular library used for developing custom machine learning models. By infiltrating the build environment of this widely used tool, the attackers were able to deploy cryptocurrency mining malware onto the systems that installed the trojanized version of the package. While cryptocurrency mining was the malware’s payload, the attackers could have used this vulnerability to introduce any type of malicious software.
The method behind the attack was a known exploit involving GitHub Actions, an automation tool that runs tasks like code builds. The attackers exploited this vector to inject malicious code into the package during its automated build process. This allowed the attackers to bypass the usual code review mechanisms and inject the harmful code directly into the version uploaded to PyPI, while the repository on GitHub remained untouched. This method proved to be a highly effective way of compromising the distribution pipeline without leaving traces in the original source code.
The compromised version of Ultralytics YOLO, identified as version 8.3.41, was published on December 4. Just a day later, on December 5, the Ultralytics team was alerted to the breach and attempted to release a patch with version 8.3.42. However, because they initially lacked a full understanding of how the compromise occurred, the new version inadvertently included the same malicious code. It wasn’t until later that day, when the root cause of the breach was identified, that the Ultralytics team released a clean and secure version, 8.3.43, to resolve the issue.
Ultralytics YOLO is a significant project within the AI community, with over 30,000 stars and more than 6,000 forks on GitHub. The PyPI package itself has seen almost 60 million downloads throughout its lifespan. This attack mirrors a recent compromise in another major project, @solana/web3.js, but differs in its method. While the Solana breach was caused by a compromised maintainer account, the Ultralytics attack was a more sophisticated attack on the build environment, exploiting a known vulnerability in GitHub Actions Script Injection, a technique that had previously been flagged by security researcher Adnan Khan. This highlights the growing complexity and sophistication of supply chain attacks targeting popular open-source projects.