Supply chain compromise of Ultralytics AI library results in trojanized versions
Briefly

from CSO Online3 months ago
The Ultralytics YOLO packages on PyPI were compromised through a GitHub Actions exploit, allowing attackers to inject malicious code during the automated build process.
CSO Onlinehttps://www.csoonline.com/article/3619159/supply-chain-compromise-of-ultralytics-ai-library-results-in-trojanized-versions.html
Attackers deployed cryptocurrency mining malware via the trojanized package version 8.3.41, which was published on December 4 and went undetected at first.
CSO Onlinehttps://www.csoonline.com/article/3619159/supply-chain-compromise-of-ultralytics-ai-library-results-in-trojanized-versions.html
Despite efforts to resolve the issue with version 8.3.42, it unintentionally included the malicious code due to a lack of understanding of the compromise source.
CSO Onlinehttps://www.csoonline.com/article/3619159/supply-chain-compromise-of-ultralytics-ai-library-results-in-trojanized-versions.html
A clean version, 8.3.43, was ultimately published after developers were alerted, highlighting vulnerabilities in the supply chain that attackers can exploit.
CSO Onlinehttps://www.csoonline.com/article/3619159/supply-chain-compromise-of-ultralytics-ai-library-results-in-trojanized-versions.html
Read at CSO Online
#cybersecurity #malware #software-supply-chain #ultralytics-yolo #python-packages
[
|
]