Summary:
On December 4, a malicious version of the AI library ultralytics was released on PyPI, containing code that downloaded the XMRig coinminer. The compromise was due to a GitHub Actions script injection, leading to a supply chain attack that affected millions of users. Despite attempts to rectify the issue, a subsequent version also contained malicious code before a clean version was finally released.
#SupplyChainAttack #PythonPackage #MaliciousCode
On December 4, a malicious version of the AI library ultralytics was released on PyPI, containing code that downloaded the XMRig coinminer. The compromise was due to a GitHub Actions script injection, leading to a supply chain attack that affected millions of users. Despite attempts to rectify the issue, a subsequent version also contained malicious code before a clean version was finally released.
#SupplyChainAttack #PythonPackage #MaliciousCode
Keypoints:Malicious version 8.3.41 of the ultralytics AI library was published on December 4. The malicious package contained downloader code for the XMRig coinminer. The compromise was achieved through a known GitHub Actions script injection. Version 8.3.42, intended to fix the issue, also contained malicious code. A clean version, 8.3.43, was released on the same day to resolve the attack. The incident had the potential to impact a large user base with 60 million downloads. The attack vector involved malicious pull requests that executed arbitrary code. The user account behind the attack, openimbot, showed a history of inactivity before the incident. Behavioral analysis revealed changes in specific files indicating the presence of malicious code. The malicious payload was primarily aimed at cryptocurrency mining.
MITRE Techniques:Supply Chain Compromise (T1195): Exploited the build environment of the ultralytics project to inject malicious code. Code Injection (T1059): Utilized GitHub Actions script injection to execute arbitrary code through crafted pull requests. Remote Access Tools (T1219): Established backdoor access to the compromised environment after executing the malicious payload.
IoC:[File Name] ultralytics-8.3.41 [File Name] ultralytics-8.3.42 [File Hash] ee304a92a9e68e7923d7a37a370c7556ac596250 [File Hash] 7c6136cf4e857582c2f086673359be94e7e4b702 [File Hash] dd0577b10e73792f2b2315af63b872fe4123ec9c [File Hash] bea3060707e6f3fec47aa2af64ea2e774b56e9f5
Full Research: https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer
Views: 0