The two compromised versions of the popular Python AI library, ultralytics, were infected with malicious code designed to stealthily mine cryptocurrency, resulting in excessive CPU usage.
Glenn Jocher, the project maintainer, confirmed on GitHub that the two versions were infected through a sophisticated attack on the PyPI deployment workflow.
Security researcher Adnan Khan flagged the issue in ultralytics/actions, revealing that bad actors exploited a known GitHub Actions Script Injection to compromise the build environment.
ComfyUI has updated its manager to warn users about the malicious ultralytics versions, advising them to upgrade to the fixed release and ensure their systems are secure.
#software-supply-chain #cybersecurity #cryptocurrency-mining #python-package-index #ultralytics-library
Collection
[
|
...
]