A compromised version of the popular ultralytics AI library has been found to deliver a cryptocurrency mining payload.
ReversingLabs researchers traced the issue to a breach of the library’s build environment, which was exploited through a known GitHub Actions script injection vulnerability.
On December 4, version 8.3.41 of ultralytics was published on the Python Package Index (PyPI). This version contained malicious code that downloaded the XMRig coin miner. The attackers used a sophisticated technique to inject malicious payloads into the repository, bypassing code reviews.
“Unlike the recent compromise of a trusted npm package @solana/web3.js […], which also had a similar impact radius but was caused by a compromise of one of the maintainer accounts, in this case, intrusion into the build environment was achieved by a more sophisticated vector, by exploiting a known GitHub Actions Script Injection that was previously reported by the security researcher Adnan Khan,” ReversingLabs explained.
Specifically, the attackers crafted pull requests with code embedded in branch titles, allowing them to achieve arbitrary code execution.
The breach had the potential to impact a vast user base, as ultralytics has over 30,000 stars on GitHub and nearly 60 million downloads on PyPI. The problem was exacerbated when a follow-up version, 8.3.42, was released to address the issue also carried the same malicious code. A clean version, 8.3.43, was finally made available later that day.
While the malicious code primarily deployed a cryptocurrency miner, researchers noted that the same vector could have been used to distribute more harmful malware, such as backdoors or remote access Trojans. The compromised code specifically targeted downloads.py and model.py, with functionality tailored to evaluate system configurations and deliver platform-specific payloads.
Read more on software supply chain security risks: CISA Urges Improvements in US Software Supply Chain Transparency
The attack was linked to a GitHub account named openimbot, which had a suspicious activity pattern suggesting a possible account takeover. The attackers’ methodology involved embedding payload code in branch names, enabling backdoor access to the environment through crafted pull requests.