{
	"id": "d26cb641-b81a-41b3-9b8d-5b0f3a2024a8",
	"created_at": "2026-04-06T00:12:58.669836Z",
	"updated_at": "2026-04-10T13:11:26.883226Z",
	"deleted_at": null,
	"sha1_hash": "2f72d7ea8c42889a9eb59dffd975aa87ab80c703",
	"title": "Ultralytics AI Library Hacked via GitHub for Cryptomining",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61886,
	"plain_text": "Ultralytics AI Library Hacked via GitHub for Cryptomining\r\nBy Wiz Threat Research\r\nPublished: 2024-12-09 · Archived: 2026-04-05 17:26:44 UTC\r\nSecurity researchers have identified a supply chain attack targeting deployment versions of the Ultralytics Python\r\npackage. The compromised versions, 8.3.41 and 8.3.42 , contain malicious code that executes unauthorized\r\ncryptocurrency mining software (XMRig) on affected machines.  This compromise was limited to the PyPI-hosted\r\nversions of the package, and local or earlier versions remain unaffected. The malicious versions have since been\r\nremoved from PyPI to prevent further exploitation. Ultralytics is a popular AI image prediction library with over\r\n33k stars on GitHub and a dependency for many packages, including the popular ComfyUI Impact Pack\r\nextension, making them vulnerable as well.\r\nWhy is this interesting?\r\nPyPI-hosted package compromise is nothing new. What is interesting in this case is the way the package was\r\ncompromised – via the CI/CD workflow. Until recently, most compromises related to VCS (version control\r\nsystem)- and CI/CD were performed by security researchers (i.e. on stripe-samples, PyTorch, GitHub Runner\r\nImages, etc.).\r\nEven the infamous XZ-Utils compromise was performed by what could be considered an “insider threat”,\r\nsomeone that already had write access to the repository code. By contrast, this is one of the first publicly known\r\ncases where an external malicious actor managed to modify the release package that eventually made it to the\r\nPyPI ecosystem. It is also notable that the discovery of the compromise was first alerted on the dependent package\r\nComfyUI, not on the original compromised target Ultralytics.\r\nWhat happened?\r\nA supply chain attack targeted Ultralytics, a very popular library which is included in many AI packages including\r\nthe ComfyUI Impact Pack. The attacker manipulated GitHub Actions by exploiting branch names in pull requests\r\nto execute arbitrary code, bundling a cryptominer into the package. A subsequent “mitigation” release of\r\nUltralytics was also compromised, escalating the risk for users who might have updated to the new version and\r\nassumed they were secure.\r\nHow exactly did this happen?\r\nUltralytics has an extensive CI/CD infrastructure boasting 11 different workflows running tens of job runs every\r\nhour. This probably contributed to the fact that the malicious change was not immediately noticed and that two\r\nversions of the Ultralytics package were shipped successfully and made it to the PyPI registry.\r\nOn December 4th, 2024, a GitHub user named openimbot opened two strange-looking draft pull requests . The\r\npurpose of these PRs was to exploit a vulnerability that was similar to one previously reported as affecting a\r\ndifferent workflow in the same organization (Ultralytics) but in different repository (Ultralytics/actions). At the\r\nhttps://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining\r\nPage 1 of 3\n\ncenter of the malicious PRs was the vulnerable workflow “Publish Docs” that runs upon every PR creation\r\n(among other triggers):\r\nSpecifically, the vulnerable lines of code are best seen when analyzing the later fix by the package maintainers:\r\nIn this case, github.head_ref is the name of the source code branch opened with the PR. When treating\r\ngithub.head_ref as a string and without input sanitization, the workflow used the maliciously crafted branch\r\nname supplied by openimbot in the above PRs:\r\nThis branch name payload, when executed by the job, pipes the content of file.sh into a bash session. The way\r\nthe payload is constructed (using the parentheses bash notation and the $IFS special shell variable) is explained\r\nby the fact that, to be valid, the branch name should not contain any spaces. In fact, this is a common technique\r\nused for WAF bypasses. The content of file.sh is currently unavailable, but we can speculate that it contained\r\ninstructions to check in malicious changes to the following two files:\r\nv8.3.41/ultralytics/models/yolo/model.py - Adding code that downloads and runs a malicious miner\r\naccording to the victim’s machine:\r\n  v8.3.41/ultralytics/utils/downloads.py - Adding the implementation of the download and run\r\nfunctions used in model.py :\r\nThe final result is evident in this issue raised by a user of Ultralytics that noticed the discrepancy.\r\nIt is somewhat surprising to see these malicious actions performed by an established GitHub account with a long\r\nhistory of contributions. After all, opening a temporary GitHub account is something very common and easy\r\nachievable, whereas creating and maintaining a believable persona over a long period of time is slightly more\r\ndifficult. However, it is quite possible that this account is legitimate and was compromised somehow by a\r\nmalicious actor in order to enact supply chain attacks such as this.\r\nWiz Research data: what’s the risk to cloud environments?\r\nBased on our data, Ultralytics itself can be found in 10% of cloud environments, demonstrating the valuable attack\r\nsurface that this supply chain attack was aiming to exploit.\r\nWhich products are affected?\r\nUltralytics in versions 8.3.41 and 8.3.42 contain malicious code. Later versions are safe to use.\r\nWhich actions should security teams take?\r\nUsers who have installed these versions are strongly advised to uninstall the package immediately and restore\r\nimpacted systems to a previously known clean state, while monitoring for any evidence of crypto-mining on the\r\naffected systems.\r\nWiz customers can use the pre-built query and advisory in the Wiz Threat Intel Center to search for affected\r\ninstances in their environment:\r\n References\r\nhttps://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining\r\nPage 2 of 3\n\nkingbri's tweet\r\nGithub issue for Ultralytics\r\nGithub issue for ComfyUI\r\nReversingLabs blog\r\nBleepingComputer article\r\nSource: https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining\r\nhttps://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining"
	],
	"report_names": [
		"ultralytics-ai-library-hacked-via-github-for-cryptomining"
	],
	"threat_actors": [],
	"ts_created_at": 1775434378,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f72d7ea8c42889a9eb59dffd975aa87ab80c703.pdf",
		"text": "https://archive.orkl.eu/2f72d7ea8c42889a9eb59dffd975aa87ab80c703.txt",
		"img": "https://archive.orkl.eu/2f72d7ea8c42889a9eb59dffd975aa87ab80c703.jpg"
	}
}