Close Menu
Şevket Ayaksız

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Logitech M720 Triathlon mouse drops to $29 for Prime Day

    Temmuz 12, 2026

    Claude may soon ask some users for ID verification

    Temmuz 12, 2026

    Innocn’s 49-inch ultrawide monitor hits a record-low $500 for Prime Day

    Temmuz 12, 2026
    Facebook X (Twitter) Instagram
    • software
    • Gadgets
    Facebook X (Twitter) Instagram
    Şevket AyaksızŞevket Ayaksız
    Subscribe
    • Home
    • Technology

      Innocn’s 49-inch ultrawide monitor hits a record-low $500 for Prime Day

      Temmuz 12, 2026

      Sony 1000X The Collexion vs. Bowers & Wilkins Px8 S2: Which Premium Headphones Come Out on Top?

      Temmuz 11, 2026

      SpaceX Eyes Massive Starlink Expansion With Plans for 100,000 Additional Satellites

      Temmuz 11, 2026

      Nvidia celebrates 30 years of GPUs with free GeForce trading cards

      Temmuz 10, 2026

      Acer’s 7-in-1 wireless charging station drops to $50

      Temmuz 9, 2026
    • Adobe
    • Microsoft
    • java
    • Oracle
    Şevket Ayaksız
    Anasayfa » Trojanized Versions Emerge After Supply Chain Breach in Ultralytics AI Library
    software

    Trojanized Versions Emerge After Supply Chain Breach in Ultralytics AI Library

    By mustafa efeOcak 12, 2025Yorum yapılmamış2 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    In a recent breach, attackers targeted Ultralytics YOLO packages on PyPI, the official Python package index, compromising a popular library used for developing custom machine learning models. By infiltrating the build environment of this widely used tool, the attackers were able to deploy cryptocurrency mining malware onto the systems that installed the trojanized version of the package. While cryptocurrency mining was the malware’s payload, the attackers could have used this vulnerability to introduce any type of malicious software.

    The method behind the attack was a known exploit involving GitHub Actions, an automation tool that runs tasks like code builds. The attackers exploited this vector to inject malicious code into the package during its automated build process. This allowed the attackers to bypass the usual code review mechanisms and inject the harmful code directly into the version uploaded to PyPI, while the repository on GitHub remained untouched. This method proved to be a highly effective way of compromising the distribution pipeline without leaving traces in the original source code.

    The compromised version of Ultralytics YOLO, identified as version 8.3.41, was published on December 4. Just a day later, on December 5, the Ultralytics team was alerted to the breach and attempted to release a patch with version 8.3.42. However, because they initially lacked a full understanding of how the compromise occurred, the new version inadvertently included the same malicious code. It wasn’t until later that day, when the root cause of the breach was identified, that the Ultralytics team released a clean and secure version, 8.3.43, to resolve the issue.

    Ultralytics YOLO is a significant project within the AI community, with over 30,000 stars and more than 6,000 forks on GitHub. The PyPI package itself has seen almost 60 million downloads throughout its lifespan. This attack mirrors a recent compromise in another major project, @solana/web3.js, but differs in its method. While the Solana breach was caused by a compromised maintainer account, the Ultralytics attack was a more sophisticated attack on the build environment, exploiting a known vulnerability in GitHub Actions Script Injection, a technique that had previously been flagged by security researcher Adnan Khan. This highlights the growing complexity and sophistication of supply chain attacks targeting popular open-source projects.

    Post Views: 266
    Data Management Programming Languages Software Development
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    mustafa efe
    • Website

    Related Posts

    Claude may soon ask some users for ID verification

    Temmuz 12, 2026

    Microsoft cuts 3,200 Xbox jobs amid gaming business overhaul

    Temmuz 12, 2026

    Microsoft is using AI to patch Windows vulnerabilities before hackers strike

    Temmuz 12, 2026
    Add A Comment

    Comments are closed.

    Editors Picks
    8.5

    Apple Planning Big Mac Redesign and Half-Sized Old Mac

    Ocak 5, 2021

    Autonomous Driving Startup Attracts Chinese Investor

    Ocak 5, 2021

    Onboard Cameras Allow Disabled Quadcopters to Fly

    Ocak 5, 2021
    Top Reviews
    9.1

    Review: T-Mobile Winning 5G Race Around the World

    By sevketayaksiz
    8.9

    Samsung Galaxy S21 Ultra Review: the New King of Android Phones

    By sevketayaksiz
    8.9

    Xiaomi Mi 10: New Variant with Snapdragon 870 Review

    By sevketayaksiz
    Advertisement
    Demo
    Şevket Ayaksız
    Facebook X (Twitter) Instagram YouTube
    • Home
    • Adobe
    • microsoft
    • java
    • Oracle
    • Contact
    © 2026 Theme Designed by Şevket Ayaksız.

    Type above and press Enter to search. Press Esc to cancel.