December 7, 2024 at 06:15AM
Two versions of the Python AI library Ultralytics (8.3.41 and 8.3.42) were compromised, delivering a cryptocurrency miner. The affected versions have been removed, and a new one includes a security fix. The attack exploited a GitHub Actions vulnerability, raising concerns about potential future threats like backdoors.
**Meeting Takeaways – Dec 07, 2024: Supply Chain Attack / Cryptocurrency**
1. **Incident Overview**: Two versions (8.3.41 and 8.3.42) of the popular Python AI library Ultralytics were compromised, leading to the delivery of a cryptocurrency miner.
2. **Immediate Action**: The compromised versions have been removed from the Python Package Index (PyPI), and a new version has been released that includes a security fix for the publication workflow.
3. **Attack Details**:
– The malicious code was injected during the PyPI deployment workflow, resulting in an increase in CPU usage indicative of cryptocurrency mining.
– The attack exploited vulnerabilities in the build environment, allowing unauthorized modifications post-code review.
4. **Technical Insight**:
– The specific vulnerability involved a GitHub Actions Script Injection.
– Threat actors managed to create a malicious pull request, affecting users on macOS and Linux systems.
5. **Response and Prevention**:
– ComfyUI, which relies on Ultralytics, has updated its manager to alert users of the malicious versions.
– Users are strongly advised to update to the latest version of Ultralytics to mitigate risks.
6. **Potential Risks**: Although the current incident involved a cryptocurrency miner (XMRig), experts warn of more severe threats such as backdoors or remote access trojans if similar attacks occur in the future.
7. **Further Information**: The issue was flagged by security researcher Adnan Khan in an advisory from August 2024, signaling ongoing vulnerabilities within the environment.
This summary serves as a concise overview of the meeting’s focal points regarding the software supply chain attack and its implications.