{"id":712,"date":"2024-12-14T05:22:44","date_gmt":"2024-12-14T05:22:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2024\/12\/14\/ultralytics-supply-chain-attack-html\/"},"modified":"2024-12-14T05:22:44","modified_gmt":"2024-12-14T05:22:44","slug":"ultralytics-supply-chain-attack-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2024\/12\/14\/ultralytics-supply-chain-attack-html\/","title":{"rendered":"Ultralytics Supply-Chain Attack"},"content":{"rendered":"\n<div>Ultralytics Supply-Chain Attack<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A <a href=\"https:\/\/www.reversinglabs.com\/blog\/compromised-ultralytics-pypi-package-delivers-crypto-coinminer\">quick summary<\/a>:<\/p>\n<blockquote>\n<p>On December 4, a malicious version 8.3.41 of the popular AI library <i>ultralytics<\/i> \u00ad\u2014which has almost 60 million downloads\u2014was published to the Python Package Index (PyPI) package repository. The package contained downloader code that was downloading the <i>XMRig<\/i> coinminer. The compromise of the project\u2019s build environment was achieved by exploiting a known and previously reported GitHub Actions script injection.<\/p>\n<\/blockquote>\n<p>Lots more details at that link. Also <a href=\"https:\/\/blog.yossarian.net\/2024\/12\/06\/zizmor-ultralytics-injection\">here<\/a>.<\/p>\n<p>Seth Michael Larson\u2014the security developer in residence with the Python Software Foundation, responsible for, among other things, securing PyPi\u2014has a good <a href=\"https:\/\/blog.pypi.org\/posts\/2024-12-11-ultralytics-attack-analysis\/\">summary<\/a> of what should be done next:<\/p>\n<blockquote>\n<p>From this story, we can see a few places where PyPI can help developers towards a secure configuration without infringing on existing use-cases.<\/p>\n<ul>\n<li>API tokens are allowed to go unused alongside Trusted Publishers. It\u2019s valid for a project to use a mix of API tokens and Trusted Publishers because Trusted Publishers aren\u2019t universally supported by all platforms. However, API tokens that are being unused over a period of time despite releases continuing to be published via Trusted Publishing is a strong indicator that the API token is no longer needed and can be revoked.\n<\/li>\n<li>GitHub Environments are optional, but recommended, when using a GitHub Trusted Publisher. However, PyPI doesn\u2019t fail or warn users that are using a GitHub Environment that the corresponding Trusted Publisher isn\u2019t configured to require the GitHub Environment. This fact didn\u2019t end up mattering for this specific attack, but during the investigation it was noticed as something easy for project maintainers to miss.<\/li>\n<\/ul>\n<\/blockquote>\n<p>There\u2019s also a more general \u201cWhat can you do as a publisher to the Python Package Index\u201d list at the end of the blog post.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2024\/12\/ultralytics-supply-chain-attack.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ultralytics Supply-Chain Attack Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: On December 4, a malicious version 8.3.41 of the popular AI library ultralytics \u00ad\u2014which has almost 60 million downloads\u2014was published to the Python Package Index (PyPI) package repository. The package contained downloader code that was [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,407,1],"tags":[87],"class_list":["post-712","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-supply-chain","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/712"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=712"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/712\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=712"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=712"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=712"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}