Cryptomining malware infects thousands via hijacked AI model

The popular AI development company Ultralytics experienced a significant security breach when threat actors compromised its YOLO11 model to deploy cryptocurrency mining malware through the Python Package Index (PyPI).

The incident overview: Ultralytics’ YOLO (You Only Look Once) AI model, a widely-used open-source computer vision system for real-time object detection, was targeted in a supply chain attack affecting versions 8.3.41 and 8.3.42.

• The compromised software has been downloaded over 260,000 times in the past 24 hours from PyPI alone
• The project maintains significant popularity in the developer community, with 33,600 GitHub stars and 6,500 forks
• The attack impacted multiple downstream projects, including SwarmUI and ComfyUI, as Ultralytics is a dependency for these applications

Technical details of the breach: The malicious code was designed to secretly install and operate cryptocurrency mining software on affected systems.

• The compromise resulted in the installation of an XMRig Miner in the ‘/tmp/ultralytics_runner’ directory
• The mining software connected to a suspicious mining pool at “connect.consrensys[.]com:8080”
• Google Colab users who installed the compromised versions had their accounts banned for “abusive activity”

Response and remediation: Ultralytics has taken immediate action to address the security incident and protect its users.

• The company quickly pulled the compromised versions from PyPI
• A clean version 8.3.43 was released as a replacement
• The development team is conducting a comprehensive security audit
• Additional safeguards are being implemented to prevent future incidents

Investigation findings: Initial analysis points to a sophisticated attack vector targeting the build environment.

• The compromise appears to stem from two malicious pull requests with code injection in the branch names
• The suspicious pull requests originated from a user in Hong Kong
• The full extent of the compromise, including whether user data was affected, remains under investigation

Looking ahead: The incident highlights the growing sophistication of supply chain attacks targeting AI development tools, raising concerns about the security of open-source AI infrastructure and the need for enhanced verification processes in software distribution channels.