Full Report
In December 2024, the popular Ultralytics AI library was compromised, installing malicious code that hijacked system resources for cryptocurrency mining. In August 2025, malicious Nx packages leaked 2,349 GitHub, cloud, and AI credentials. Throughout 2024, ChatGPT vulnerabilities allowed unauthorized extraction of user data from AI memory. The result: 23.77 million secrets were leaked through AI
Analysis Summary
# Incident Report: Major Credential and Data Leakage via AI Supply Chain and LLM Vulnerabilities (2024-2025)
## Executive Summary
Between 2024 and August 2025, multiple significant security incidents occurred targeting AI systems and related software supply chains, resulting in the large-scale compromise of sensitive credentials and user data. Attacks utilized dependency confusion/malicious package injection (Ultralytics, Nx) and LLM vulnerabilities (ChatGPT) to bypass traditional security controls, ultimately leading to the leakage of 23.77 million secrets in 2024 alone.
## Incident Details
- **Discovery Date:** Implied ongoing throughout 2024 and 2025 (specific discovery dates for each event are not provided, only the occurrence dates).
- **Incident Date:** Focused events occurred in December 2024 (Ultralytics), throughout 2024 (ChatGPT data extraction), and August 2025 (Nx packages).
- **Affected Organization:** Ultralytics AI library (Supply Chain target), OpenAI/ChatGPT (LLM target), organizations utilizing Nx packages (Credential targets).
- **Sector:** Technology/Software Development, AI Services, Cloud Services.
- **Geography:** Not specified beyond the global nature of the involved libraries and services.
## Timeline of Events
### Initial Access
- **Date/Time (Approx.):** Throughout 2024
- **Vector:** LLM Vulnerabilities (ChatGPT) and Software Supply Chain Compromise (Ultralytics).
- **Details:**
* **Dec 2024:** Ultralytics AI library was compromised, deploying malicious code via package update.
* **Throughout 2024:** ChatGPT vulnerabilities were exploited to extract user data from AI memory.
* **Aug 2025:** Malicious Nx packages were released/deployed, containing credential-exfiltration capabilities.
### Lateral Movement
- **Date/Time (Approx.):** Subsequent to initial access in all reported incidents.
- **Vector:** Hijacking system resources (Cryptocurrency mining) and stealing access tokens/keys (Nx package).
- **Details:** The initial compromise of the Ultralytics library installed code to hijack system resources. The Nx packages specifically targeted and leaked various high-value credentials.
### Data Exfiltration/Impact
- **Date/Time (Approx.):** Ongoing throughout 2024, peaking in August 2025.
- **What was stolen or damaged:**
* **2024:** 23.77 million secrets were leaked through AI systems.
* **Aug 2025:** 2,349 GitHub, cloud, and AI credentials were leaked via Nx packages.
* System resources were hijacked for cryptocurrency mining (Ultralytics incident).
### Detection & Response
- **How it was discovered:** Not explicitly detailed in the source, but the incidents became known through subsequent analysis or reporting after the fact.
- **Response actions taken:** Not detailed. The primary takeaway is that existing traditional security frameworks *failed* to prevent these attacks.
## Attack Methodology
| Category | Method |
| :--- | :--- |
| **Initial Access** | Software Supply Chain Attack (Malicious Library/Package Injection: Ultralytics, Nx packages). Prompt Injection targeting LLMs (ChatGPT). |
| **Persistence** | Not explicitly detailed, but established via compromised libraries and persistent data extraction from AI memory. |
| **Privilege Escalation** | Not explicitly detailed; relies on the trust inherent in installing third-party dependencies and inherent LLM architecture flaws. |
| **Defense Evasion** | Attacks bypassed traditional controls because they exploited novel AI attack vectors (e.g., prompt injection using natural language, model poisoning during training). |
| **Credential Access** | Direct theft of GitHub, cloud, and AI credentials via malicious Nx packages. |
| **Discovery** | Not detailed. |
| **Lateral Movement** | Not detailed, but implied via dependency chain and LLM memory access. |
| **Collection** | Unauthorized extraction of user data from AI memory (ChatGPT). |
| **Exfiltration** | Data was exfiltrated resulting in the 23.77 million secrets leak. |
| **Impact** | Cryptojacking (resource hijacking) and large-scale credential theft. |
## Impact Assessment
- **Financial:** Not specified, but significant costs associated with remediation and potential losses from cryptocurrency mining and credential usage (e.g., cloud resource abuse).
- **Data Breach:** **23.77 million secrets** leaked throughout 2024 via AI systems. **2,349 high-value credentials** (GitHub, cloud, AI) leaked in August 2025.
- **Operational:** System resources were hijacked (cryptojacking). Functionality of libraries/systems was impaired due to malicious code injection.
- **Reputational:** Negative impact due to widespread compromise of popular tools (Ultralytics) and services (ChatGPT).
## Indicators of Compromise
*(Note: The source material focuses on attack *vectors* and *outcomes* rather than specific IoCs. The following are inferred general indicators based on the attack types described.)*
- **Network Indicators (Defanged):** Traffic patterns associated with unauthorized cryptocurrency mining pools. Unauthenticated or anomalous API calls originating from compromised LLM contexts.
- **File Indicators:** Presence of malicious code within the Ultralytics library installation directory. Malicious dependencies installed via `npm` or similar package managers related to the Nx packages.
- **Behavioral Indicators:** Unexpected high CPU/GPU utilization not correlated with legitimate tasks (indicating cryptojacking). Unexpected data outputs or configuration changes resulting from adversarial inputs or model poisoning.
## Response Actions
- **Containment:** (Inferred: Isolating compromised systems, revoking exposed credentials, removing malicious versions of Ultralytics/Nx packages from artifact repositories).
- **Eradication:** (Inferred: Cleaning affected systems to remove cryptomining malware, retraining or sanitizing models exposed to poisoning).
- **Recovery:** (Inferred: Implementing stricter supply chain vetting processes, rolling out security patches for LLM endpoints, resetting all 2,349 leaked credentials).
## Lessons Learned
- Traditional security frameworks (NIST, ISO 27001, CIS Controls) are insufficient for securing AI-native threats, as they lack controls for vectors like prompt injection or model poisoning.
- Software supply chain security must be rigorously maintained, especially for popular dependencies like AI/ML libraries.
- LLMs introduce novel attack surfaces by processing natural language input that easily bypasses legacy syntax-based input validation controls.
## Recommendations
- Implement specialized AI security controls that specifically address data extraction from model memory and prompt injection vulnerabilities.
- Adopt granular access controls and runtime monitoring for AI model interactions, treating prompts as potentially malicious input needing deep semantic analysis, not just syntax validation.
- Mandate stricter validation, signing, and monitoring for third-party library dependencies to prevent supply chain compromise similar to the Ultralytics and Nx incidents.