HIGH 8.6
PYSEC-2024-154
A number of releases of ultralytics contained malicious crypto miner software.
Details
Ultralytics has identified a supply chain attack affecting affecting multiple versions of the ultralytics package. The compromised versions contained unauthorized code that downloaded and executed cryptocurrency mining software when instantiating YOLO models. This code was injected into the PyPI release artifacts and was not present in the public GitHub repository.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / ultralytics
Introduced in:
8.3.41 Fixed in: 8.3.47 Fix
pip install --upgrade 'ultralytics>=8.3.47' References
- https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284 [EVIDENCE]
- https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194 [WEB]
- https://github.com/ultralytics/ultralytics/issues/18027 [REPORT]
- https://github.com/ultralytics/ultralytics/pull/18052 [FIX]
- https://github.com/ultralytics/ultralytics/pull/18111 [FIX]
- https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48 [FIX]
- https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection [ARTICLE]