https://www.bleepingcomputer.com/news/security/ultralytics-ai-model-hijacked-to-infect-thousands-with-cryptominer/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + New Android spyware found on phone seized by Russian FSB New Android spyware found on phone seized by Russian FSB + Microsoft says having a TPM is Microsoft says having a TPM is "non-negotiable" for Windows 11 + White House: Salt Typhoon hacked telcos in dozens of countries White House: Salt Typhoon hacked telcos in dozens of countries + Vodka maker Stoli files for bankruptcy in US after ransomware attack Vodka maker Stoli files for bankruptcy in US after ransomware attack + Anna Jaques Hospital ransomware breach exposed data of 300K patients Anna Jaques Hospital ransomware breach exposed data of 300K patients + Tackle 2025 like a pro with MS Office 2024 -- $30 off for Cyber Week Tackle 2025 like a pro with MS Office 2024 -- $30 off for Cyber Week + Get started on holiday shopping with a Costco Gold Star Membership Get started on holiday shopping with a Costco Gold Star Membership + Microsoft expands Recall preview to Intel and AMD Copilot+ PCs Microsoft expands Recall preview to Intel and AMD Copilot+ PCs * Tutorials + Latest + Popular + How to access the Dark Web using the Tor Browser How to access the Dark Web using the Tor Browser + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide ThreatLocker * Home * News * Security * Ultralytics AI model hijacked to infect thousands with cryptominer * * Ultralytics AI model hijacked to infect thousands with cryptominer By Bill Toulas * December 6, 2024 * 01:54 PM * 0 Ultralytics The popular Ultralytics YOLO11 AI model was compromised in a supply chain attack to deploy cryptominers on devices running versions 8.3.41 and 8.3.42 from the Python Package Index (PyPI) Ultralytics is a software development company specializing in computer vision and artificial intelligence (AI), specifically in object detection and image processing. It's best known for its "YOLO" (You Only Look Once) advanced object detection model, which can quickly and accurately detect and identify objects in video streams in real time. Ultralytics tools are open-source and are used by numerous projects spanning a wide range of industries and applications. The library has been starred 33,600 times and forked 6,500 times on GitHub, and it has had over 260,000 downloads over the past 24 hours from PyPI alone. Ultralytics YOLO11 compromised Yesterday, Ultralytics 8.3.41 and 8.3.42 were released to PyPi, and users who installed the compromised versions directly or as a dependency discovered that a cryptominer was deployed. For Google Colab accounts, owners got flagged and banned due to "abusive activity." Ultralytics is a dependency of both SwarmUI and ComfyUI, who both confirmed that fresh installs of their libraries would have led to the installation of the miner. SwarmUISource: @GozukaraFurkan When installed, the compromised library installs and launches an XMRig Miner at '/tmp/ultralytics_runner' to connect to a minin pool at "connect.consrensys[.]com:8080". Running XMRig Miner processesRunning XMRig Miner processes Source: Floresce Ultralytics founder and CEO Glenn Jocher confirmed that the issue only impacts those two compromised versions, which have already been pulled and replaced with a clean 8.3.43 version. "We confirm that Ultralytics versions 8.3.41 and 8.3.42 were compromised by a malicious code injection targeting cryptocurrency mining. Both versions have been immediately removed from PyPI," Jocher posted to GitHub. "We have released 8.3.43 which addresses this security issue. Our team is conducting a full security audit and implementing additional safeguards to prevent similar incidents." Comment by Glenn Jocher on GitHubComment by Glenn Jocher on GitHub Source: BleepingComputer The developers are currently investigating the root cause, and potential vulnerabilities in the Ultralytics build environment to determine how it was breached. However, Jocher commented that the compromise appears to originate from two malicious PRs [1, 2]with code injection in the branch names submitted by a user in Hong Kong. Whether the malicious code solely performed crypto mining or compromised private user data remains unclear, and the community is still awaiting a formal advisory regarding the breach that will provide clarifications on all details. Out of an abundance of caution, those who downloaded a malicious version of Ultralytics should perform a full system scan. BleepingComputer has contacted Ultralytics to comment on the situation and learn more about how the supply chain compromise was achieved, but we are still awaiting a response. Related Articles: GitHub projects targeted with malicious commits to frame researcher LottieFiles hacked in supply chain attack to steal users' crypto FBI shares tips on how to tackle AI-powered fraud schemes Solana Web3.js library backdoored to steal secret, private keys Microsoft says it's not using your Word, Excel data for AI training * Artificial Intelligence * Open Source * Supply Chain * Supply Chain Attack * Ultralytics * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * Windows 11 Microsoft says having a TPM is "non-negotiable" for Windows 11 * Windows New Windows zero-day exposes NTLM credentials, gets unofficial patch * Chinese Hackers White House: Salt Typhoon hacked telcos in dozens of countries Sponsor Posts * Solving the painful password problem with better policies * The Actual Cost of Forgotten Passwords * Have Your AD Password Policy Meet NIST Requirements * Latrodectus malware and how to defend against it with Wazuh * Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT