Ultralytics AI model hijacked to infect thousands with cryptominer

The popular Ultralytics YOLO11 AI model was compromised in a supply chain attack to deploy cryptominers on devices running versions 8.3.41 and 8.3.42 from the Python Package Index (PyPI)  

Ultralytics is a software development company specializing in computer vision and artificial intelligence (AI), specifically in object detection and image processing.

It's best known for its "YOLO" (You Only Look Once) advanced object detection model, which can quickly and accurately detect and identify objects in video streams in real time.

Ultralytics tools are open-source and are used by numerous projects spanning a wide range of industries and applications.

The library has been starred 33,600 times and forked 6,500 times on GitHub, and it has had over 260,000 downloads over the past 24 hours from PyPI alone.

Ultralytics YOLO11 compromised

Yesterday, Ultralytics 8.3.41 and 8.3.42 were released to PyPi, and users who installed the compromised versions directly or as a dependency discovered that a cryptominer was deployed. For Google Colab accounts, owners got flagged and banned due to "abusive activity."

Ultralytics is a dependency of both SwarmUI and ComfyUI, who both confirmed that fresh installs of their libraries would have led to the installation of the miner.

When installed, the compromised library installs and launches an XMRig Miner at '/tmp/ultralytics_runner' to connect to a minin pool at "connect.consrensys[.]com:8080".

Ultralytics founder and CEO Glenn Jocher confirmed that the issue only impacts those two compromised versions, which have already been pulled and replaced with a clean 8.3.43 version.

"We confirm that Ultralytics versions 8.3.41 and 8.3.42 were compromised by a malicious code injection targeting cryptocurrency mining. Both versions have been immediately removed from PyPI," Jocher posted to GitHub.

"We have released 8.3.43 which addresses this security issue. Our team is conducting a full security audit and implementing additional safeguards to prevent similar incidents."

​
The developers are currently investigating the root cause, and potential vulnerabilities in the Ultralytics build environment to determine how it was breached.

However, Jocher commented that the compromise appears to originate from two malicious PRs [1, 2]with code injection in the branch names submitted by a user in Hong Kong.

Whether the malicious code solely performed crypto mining or compromised private user data remains unclear, and the community is still awaiting a formal advisory regarding the breach that will provide clarifications on all details.

Out of an abundance of caution, those who downloaded a malicious version of Ultralytics should perform a full system scan.

BleepingComputer has contacted Ultralytics to comment on the situation and learn more about how the supply chain compromise was achieved, but we are still awaiting a response.

Update 12/8: There are user reports of new trojanized releases on PyPI, so the attack appears to continue through new package versions 8.3.45 and 8.3.46.