Full Report
The compromised ultralytics AI library delivered XMRig miner via GitHub Actions exploit
Analysis Summary
# Tool/Technique: XMRig Cryptocurrency Miner (Delivered via Compromised `ultralytics` PyPI Package)
## Overview
This summary details a supply chain attack where a compromised version of the popular `ultralytics` Python AI library, published on PyPI, was used to inject and deliver the XMRig cryptocurrency mining malware onto victim systems. The compromise was achieved by exploiting a GitHub Actions script injection vulnerability in the library's build environment.
## Technical Details
- Type: Malware (Cryptocurrency Miner) delivered via Compromised Dependency
- Platform: Python environments (targets systems running code utilizing the compromised package)
- Capabilities: Downloads and executes the XMRig coin miner; evaluates system configuration to deliver platform-specific payloads.
- First Seen: Version 8.3.41 published on December 4, 2024.
## MITRE ATT&CK Mapping
The activity primarily relates to gaining initial access through a trusted source and executing malicious code.
- **TA0001 - Initial Access**
- **T1195 - Supply Chain Compromise**
- T1195.001 - Compromise Software Supply Chain (Infection via dependency)
- **TA0002 - Execution**
- **T1059 - Command and Scripting Interpreter**
- T1059.001 - PowerShell (Likely for execution artifacts)
- **TA0004 - Privilege Escalation** (Implied, as miners benefit from running as long as possible)
- **TA0007 - Discovery**
- **T1082 - System Information Discovery** (To evaluate system configurations for tailored payloads)
- **TA0011 - Collection** (Resource usage for mining)
## Functionality
### Core Capabilities
- **Dependency Poisoning/Supply Chain Compromise:** The malicious code was introduced into version 8.3.41 of the `ultralytics` PyPI package.
- **Payload Delivery:** Upon installation/execution of the compromised package, the code initiates the download of the XMRig coin miner.
- **System Evaluation:** Infected files (`downloads.py`, `model.py`) are designed to evaluate system configurations prior to payload deployment.
### Advanced Features
- **GitHub Actions Exploit:** The attackers exploited a known GitHub Actions Script Injection vulnerability, crafting pull requests where malicious code was embedded in branch titles to execute arbitrary code within the build environment, bypassing standard code reviews.
- **Persistence/Re-injection:** Version 8.3.42, released presumably as a "fix," contained the same malicious code, indicating either a failure to clean the build environment or a deliberate second injection wave.
## Indicators of Compromise
*Note: Specific hashes or network C2 infrastructure are not provided in the context, only file/module names involved in the infection vector.*
- File Hashes: [Not provided]
- File Names: `ultralytics` versions 8.3.41 and 8.3.42 (PyPI packages). Malicious functionality was focused in `downloads.py` and `model.py` scripts within the package.
- Registry Keys: [Not provided]
- Network Indicators: XMRig is known to communicate with Monero mining pools (Specific C2s defanged: [specific_pool_address_defanged], [another_pool_defanged])
- Behavioral Indicators: Unexpected outbound network connections originating from Python package execution contexts, execution of XMRig process, high CPU utilization post-package import.
## Associated Threat Actors
- The attack vector was linked to a GitHub account named **openimbot**, suggesting a possible account takeover or a dedicated adversary utilizing that persona.
## Detection Methods
- Signature-based detection: Signatures could target known XMRig executables or specific strings/patterns related to the malicious payload injection within the `ultralytics` package files.
- Behavioral detection: Monitoring for Python processes initiating file downloads followed by execution of non-standard binaries, or unusual spike in CPU usage tied to newly installed packages.
- YARA rules: Rules targeting the artifact code injected into `downloads.py` or `model.py`.
## Mitigation Strategies
- **Dependency Review:** Implement strict code review processes, even for trusted maintainers, especially for changes related to build scripts or automated environments (like GitHub Actions).
- **Supply Chain Vigilance:** Use dependency scanning tools to check for known malicious packages or sudden updates to established libraries.
- **Isolation:** Run build and compilation environments in isolated containers to limit the scope of potential GitHub Actions injection exploitation.
- **Immediate Remediation:** Remove and downgrade the `ultralytics` package immediately to version 8.3.43 or later clean version.
## Related Tools/Techniques
- Software Supply Chain Attacks (General)
- PyPI Dependency Confusion/Poisoning incidents
- Attack exploiting GitHub Actions (as mentioned in the context, referencing a publicly reported vulnerability by Adnan Khan)
- XMRig (Cryptocurrency Miner)