PYSEC-2024-154
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/ultralytics/PYSEC-2024-154.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2024-154
- Related
- Published
- 2024-12-10T19:43:04.050935Z
- Modified
- 2024-12-10T19:20:27.097505Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- A number of releases of ultralytics contained malicious crypto miner software.
- Details
-
Ultralytics has identified a supply chain attack affecting affecting multiple versions of the ultralytics package. The compromised versions contained unauthorized code that downloaded and executed cryptocurrency mining software when instantiating YOLO models. This code was injected into the PyPI release artifacts and was not present in the public GitHub repository.
- References
-
- https://inspector.pypi.io/project/ultralytics/8.3.41/packages/d0/99/13d92174aa6a470d348a95e31164769f2cdf77838ea3c3e3fd476285777d/ultralytics-8.3.41-py3-none-any.whl/ultralytics/utils/downloads.py#line.284
- https://github.com/ultralytics/ultralytics/pull/18020#issuecomment-2525180194
- https://github.com/ultralytics/ultralytics/issues/18027
- https://github.com/ultralytics/ultralytics/pull/18052
- https://github.com/ultralytics/ultralytics/pull/18111
- https://github.com/ultralytics/ultralytics/releases/tag/v8.3.48
- https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection
Affected packages
PyPI / ultralytics
Package
- Name
- ultralytics
- View open source insights on deps.dev
- Purl
- pkg:pypi/ultralytics