Getty Images/iStockphoto
Ultralytics YOLO AI model compromised in supply chain attack
While Ultralytics has not released an official security advisory, the company pulled two recent versions of its YOLO11 AI model after reports said they contained a cryptominer.
A threat actor compromised versions of the Ultralytics YOLO11 model in a supply chain attack that installed cryptomining software in recent versions of the company's AI software.
In a GitHub thread on Thursday, a developer warned that a PyPI package for Ultralytics YOLO version 8.3.41 was compromised and that users who installed it would unknowingly run XMRig cryptomining software. Ultralytics is a Maryland-based software company, and YOLO is an image recognition and detection AI model.
Several other developers said in the GitHub thread that Ultralytics YOLO version 8.3.41 had been compromised and recommended removing the PyPI package. While Ultralytics has not published an official advisory, it appears that Ultralytics paused automatic deployments to further investigate the supply chain attack.
The thread author, who goes by "metrizable," initially discovered the compromised code when comparing the Ultralytics PyPI package with the GitHub repository. Other developers reported suspicious activity in separate GitHub threads. For example, in another thread, developers noted that Google Colab had blocked access to systems running YOLO.
Another developer, who goes by "Skillnoob" and is affiliated with Ultralytics, responded to the reports and urged users to uninstall version 8.3.41, confirming that the PyPI package was compromised.
However, reports soon emerged in the threads that Ultralytics' subsequent version, 8.3.42, was also compromised. Skillnoob eventually confirmed that version 8.3.42 was also affected by the cryptomining campaign.
As of Thursday, versions 8.3.41 and 8.3.42 were removed from the PyPI package. Skillnoob added that version 8.3.40 and earlier were safe to use.
Ultralytics founder and CEO Glenn Jocher provided additional information on the GitHub thread. Jocher wrote that "there appears to be malicious code injection in the pypi deployment workflow itself that affected 8.3.41 and 8.3.42." He confirmed that Ultralytics stopped automatic deployments and said an investigation into the supply chain attack is ongoing. Jocher added that Ultralytics traced the malicious activity to a GitHub user in Hong Kong and subsequently blocked the account.
Jocher said the issue was resolved in Thursday's release of YOLO version 8.3.43. Ultralytics on Friday announced the release of version 8.3.44 of the software, but the company made no mention of the supply chain attack or the earlier compromised versions.
It's unclear how the threat actor gained access to Ultralytics' supply chain and compromised two different versions of the YOLO model. At press time, the company had yet to publish a public advisory on the attack. Ultralytics also did not respond to requests for comment at press time.
The Ultralytics attack is the latest example of supply chain compromises this year. In March, threat actors used fake Python infrastructure and stolen session cookies to compromise multiple GitHub code repositories for Top.gg. In October, threat actors compromised NPM packages of the popular JavaScript library Lottie Player in a campaign designed to steal users' cryptocurrency.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
