Analysis Summary
# Vulnerability: Ultralytics Supply Chain Compromise via Insecure GitHub Workflow Trigger
## CVE Details
- CVE ID: Not explicitly assigned, vulnerability is a configuration/CI flaw leading to supply chain attack.
- CVSS Score: N/A (Configuration/Process failure leading to compromise)
- CWE: CWE-913 (Improper Isolation of Program Logic or Data) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) due to secret exfiltration.
## Affected Systems
- Products: Ultralytics Python package (`ultralytics/ultralytics`)
- Versions: Specifically, malicious releases uploaded to PyPI: v8.3.41, v8.3.42, v8.3.45, and v8.3.46 (all noted as deleted).
- Configurations: Repositories using the `ultralytics/actions` composite action within a GitHub Workflow triggered by `pull_request_target` (specifically `.github/workflows/format.yml`).
## Vulnerability Description
The core flaw exploited was the use of the highly privileged `pull_request_target` trigger in the `.github/workflows/format.yml` workflow. This workflow called a custom composite action (`ultralytics/actions@main`). When combined with a malicious branch name in an incoming Pull Request (e.g., from an external contributor), the workflow executed code using the repository's secrets context and permissions within the context of the base repository, enabling:
1. Execution of arbitrary shell commands crafted in the branch name payload (`curl | bash`).
2. Execution within the context of the `pull_request_target` event, allowing modification of the base repository/code and, critically, access to repository secrets.
3. The attacker successfully exfiltrated configured repository secrets (including likely PyPI and GitHub PAT tokens), which were then used to push malicious crypto miner payloads directly to PyPI via four separate releases.
## Exploitation
- Status: Exploited in the wild (leading to malicious PyPI releases).
- Complexity: Low (Leveraged a known GitHub Actions misconfiguration pattern and malicious branch naming).
- Attack Vector: Network (via opening a malicious PR).
## Impact
- Confidentiality: High (Repository secrets, including production/deployment tokens, were compromised/exfiltrated).
- Integrity: Critical (Malware—a crypto miner—was injected directly into dependent downstream software via production releases on PyPI).
- Availability: Medium (Users installing compromised packages face performance degradation/resource consumption from the miner).
## Remediation
### Patches
- **Ultralytics Repository/Action**: The immediate vulnerability lies in the use of `pull_request_target` in workflows that interact with untrusted input (like PRs). This trigger should be replaced with `pull_request` or have strict checks preventing execution when the source branch is not trusted. The vulnerable custom action (`ultralytics/actions`) must be reviewed for safe usage.
- **Malicious Releases**: The specified malicious releases (v8.3.41, v8.3.42, v8.3.45, v8.3.46) have been deleted from PyPI.
### Workarounds
1. **Secret Revocation**: Immediately revoke **all** repository secrets configured in the `ultralytics/ultralytics` repository, especially any PyPI API tokens and the GitHub Personal Access Token referenced as `secrets._GITHUB_TOKEN`. Assume these assets are compromised.
2. **Bot Account Compromise**: Assume the `@UltralyticsAssistant` bot account is compromised and lock/reset its credentials if possible.
3. **Trust Boundary**: Audit all CI/CD workflows that use `pull_request_target` and ensure they only run in contexts where untrusted code/branches cannot execute sensitive steps or access secrets. Consider migrating to `pull_request` trigger with appropriate identity management if modification of the base repo is required.
## Detection
- **Indicators of Compromise (IOCs)**: Monitor network traffic originating from CI/CD runners for outbound connections associated with known cryptocurrency mining pools or unusual outbound connections to untrusted external URLs during workflow execution. External indicators included the discovery of the malicious uploads v8.3.41, v8.3.42, v8.3.45, and v8.3.46 on PyPI.
- **Detection Methods and Tools**: Security monitoring tools should flag the use of `pull_request_target` combined with composite actions loading code from external/untrusted sources. Static analysis security testing (SAST) tools designed to check GitHub Actions configurations (like the mentioned `zizmor`) can detect the insecure trigger usage.
## References
- Vendor advisories: Information derived from the analysis post on ENOSUCHBLOG.
- Relevant links:
- Analysis Source: enosuchblog (dot) net/2024/12/06/zizmor-ultralytics-injection
- Malicious PR reference: github (dot) com/ultralytics/ultralytics/pull/18020 (Note: Branch name contained the execution payload)