- A PyPI package for an AI model was compromised and used to deliver malware
- Victims had XMRig, a popular crypto miner, installed
- The attack has now been tackled, but users were warned to be wary
Ultralytics YOLO11, an AI model for computer vision and object detection, was compromised in an apparent supply chain attack and used to deliver malware to victims’ devices.
The attack was confirmed by the company’s founder, who also said the incident had been resolved and the malicious version had been removed. However, it seems that new malicious versions have emerged again.
YOLO11 (short for You Only Look Once) is an AI model designed for real-time computer vision tasks such as identifying objects, analyzing images, and detecting poses. The service is quite popular, starred more than 30,000 times, has been forked more than 6,000 times on GitHub, and has hundreds of thousands of downloads per day.
Newer attacks
As an open source solution, YOLO11 was also available for download on PyPI, one of the world’s largest Python package repositories.
There, an unknown threat actor recently broke into the account and uploaded two versions: 8.3.41 and 8.3.42. Those who updated to these versions, either directly or through a dependency, ended up with a cryptocurrency miner on their devices.
The installed miner is called XMRig and is by far the most popular cryptojacker (a “hijacker” malware that mines crypto coins) out there. XMRig is known for generating Monero (XMR), a privacy-oriented currency that is difficult to trace.
Glenn Jocher, founder and CEO of Ultralytics, confirmed the attack and said it had been addressed: “We confirm that Ultralytics versions 8.3.41 and 8.3.42 have been compromised by a malicious code injection targeting cryptocurrency mining. Both versions are immediately removed from PyPI,” Jocher posted on GitHub. “We have released 8.3.43 addressing this security issue. Our team is conducting a full security audit and implementing additional security measures to prevent similar incidents.”
However, on the weekend BleepingComputer said there were user reports of even newer versions – 8.3.45 and 8.3.46, being “trojanized”. At the time of writing, GitHub shows 8.3.48 as the latest version.
Via BleepingComputer