The popular Ultralytics YOLO package, widely used for creating custom machine learning models, has been compromised through a supply chain attack on PyPI, the official Python package index. The attackers managed to infiltrate the build environment of the library, deploying cryptocurrency mining malware on systems that installed the compromised package. While the malware in this case was used for mining, the attackers could have easily delivered other types of harmful software.
According to research from ReversingLabs, the attackers took advantage of a known exploit in GitHub Actions, which allowed them to introduce malicious code during the automated build process. This method bypassed the standard code review mechanisms, ensuring that the malicious code was present in the version of the package uploaded to PyPI, but not in the original code repository on GitHub. This highlighted a significant vulnerability in the way automated build systems can be exploited to introduce threats.
The trojanized version of the Ultralytics YOLO package, identified as version 8.3.41, was published on December 4. Ultralytics’ developers were alerted to the issue the following day, and they quickly worked to release a new version (8.3.42) to resolve the problem. However, due to a lack of understanding about the source of the breach, the new version inadvertently included the same rogue code. It wasn’t until later on December 5 that a clean version (8.3.43) was published, which addressed the security issue and removed the malware.
Ultralytics YOLO is a widely-used project with over 30,000 stars and more than 6,000 forks on GitHub. The PyPI package has been downloaded nearly 60 million times, amplifying the impact of this attack. The breach stands out for its sophistication, as it exploited a known GitHub Actions Script Injection vulnerability. This differs from previous incidents, such as the @solana/web3.js npm package compromise, where the attacker gained access through a maintainer’s account. In this case, however, the attackers were able to infiltrate the build environment itself, circumventing traditional security measures and demonstrating the evolving nature of supply chain threats.