A compromised model of the favored ultralytics AI library has been discovered to ship a cryptocurrency mining payload.
ReversingLabs researchers traced the problem to a breach of the library’s construct surroundings, which was exploited via a identified GitHub Actions script injection vulnerability.
On December 4, model 8.3.41 of ultralytics was printed on the Python Bundle Index (PyPI). This model contained malicious code that downloaded the XMRig coin miner. The attackers used a classy approach to inject malicious payloads into the repository, bypassing code evaluations.
“Not like the recent compromise of a trusted npm bundle @solana/web3.js […], which additionally had an analogous influence radius however was brought on by a compromise of one of many maintainer accounts, on this case, intrusion into the construct surroundings was achieved by a extra refined vector, by exploiting a identified GitHub Actions Script Injection that was beforehand reported by the safety researcher Adnan Khan,” ReversingLabs defined.
Particularly, the attackers crafted pull requests with code embedded in department titles, permitting them to realize arbitrary code execution.
The breach had the potential to influence an enormous consumer base, as ultralytics has over 30,000 stars on GitHub and almost 60 million downloads on PyPI. The issue was exacerbated when a follow-up model, 8.3.42, was launched to handle the problem additionally carried the identical malicious code. A clear model, 8.3.43, was lastly made accessible later that day.
Whereas the malicious code primarily deployed a cryptocurrency miner, researchers famous that the identical vector may have been used to distribute extra dangerous malware, reminiscent of backdoors or distant entry Trojans. The compromised code particularly focused downloads.py and mannequin.py, with performance tailor-made to guage system configurations and ship platform-specific payloads.
The assault was linked to a GitHub account named openimbot, which had a suspicious exercise sample suggesting a doable account takeover. The attackers’ methodology concerned embedding payload code in department names, enabling backdoor entry to the surroundings via crafted pull requests.