Compromised ultralytics PyPI package delivers crypto coinminer

Tags

External References

• https://www.reversinglabs.com/
• https://otx.alienvault.com/

Description

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was released. The attack had potential to impact millions of users due to the package's popularity. The infection vector involved crafting malicious pull requests to gain backdoor access. The compromise was initiated from Hong Kong. The malicious code was inserted into downloads.py and model.py files, designed to download platform-specific payloads. While this incident focused on cryptocurrency mining, it could have been used to deploy more aggressive malware.

Date