Open in app

Sign in

Write

Sign in

Ultralytics YOLO11 AI Model was Compromised via a Supply Chain Attack

Cyber Strategy Institute
6 min readDec 8, 2024

--

Don’t forget that you can vote up to 50-times a day for your favorite articles on Medium. We accept more than 1-vote, as it helps us spread the Cybersecurity insights into Crypto.

How Was the Model Hijacked?

The Ultralytics YOLO11 AI model was compromised via a supply chain attack. Malicious actors submitted two pull requests (PRs) with injected code under deceptively named branches. When the compromised versions (8.3.41 and 8.3.42) were uploaded to PyPI, the injected code silently installed XMRig, a Monero cryptocurrency miner, onto user devices. This miner connected to a mining pool via a malicious endpoint. The attack targeted open-source distribution channels and exploited PyPI’s trust model.

What is YOLO11?

YOLO11 stands for “You Only Look Once, version 11”. It’s an advanced AI model used in object detection — a technology that identifies and classifies objects in images or videos, like detecting a car, a person, or a dog in a photo.

How Does It Work?

The “You Only Look Once” approach is special because it processes an entire image in a single pass through the model, making it:

  1. Extremely Fast: Real-time performance, even on video streams.
  2. Accurate: It can detect multiple objects in a single image while estimating their positions.

What is It Used For?

YOLO11 is widely used across industries like:

  • Security: Identifying intruders in surveillance footage.
  • Healthcare: Detecting tumors in medical images.
  • Retail: Monitoring products on shelves.
  • Autonomous Vehicles: Recognizing pedestrians, other vehicles, and road signs.
  • Robotics: Enabling robots to navigate or interact with their environment.

Who Created It?

YOLO models were first introduced by Joseph Redmon in 2016, and Ultralytics, a company specializing in AI tools, has since developed YOLO into an open-source project. YOLO11 is the latest and most advanced version, incorporating cutting-edge algorithms for better speed and accuracy.

Why is YOLO11 Special?

  1. Open-Source: It’s free and available for anyone to use, modify, or integrate into their projects.
  2. Real-Time Processing: Ideal for applications that need fast decision-making, like live video analysis.
  3. Versatility: YOLO11 can handle a wide range of tasks and industries, from hobby projects to enterprise solutions.

Who Is at Risk and Why/Why Not?

At Risk:

  • Developers using Ultralytics YOLO11 as a dependency: Projects relying on compromised versions (e.g., SwarmUI and ComfyUI) were directly affected.
  • Google Colab users: Users running YOLO11 on cloud-based platforms faced bans due to “abusive activity” caused by unauthorized cryptomining.
  • Organizations using open-source software: The attack highlights risks for industries heavily relying on open-source tools, especially in AI, computer vision, and object detection.
  • Overall Threat: Ultralytics tools are open-source and are used by numerous projects spanning a wide range of industries and applications. The library has been starred 33,600 times and forked 6,500 times on GitHub, and it has had over 260,000 over the past 24 hours from PyPI alone.

Not at Risk:

  • Users and developers who didn’t upgrade to versions 8.3.41 or 8.3.42 or who only used the patched version (8.3.43).

What Crypto Mining Operations Are at Risk?

General Risks:

  • Cryptomining operations that rely on third-party libraries or software are vulnerable if these dependencies are not carefully vetted.
  • Open-source repositories with limited security oversight are prime targets for similar supply chain attacks.

Specific Risks:

  • Cloud-based mining platforms like Google Colab, AWS, or Azure can be abused for mining activities when malicious code is introduced into their environments.
  • New dependencies in mining pools: Attackers could target less-secure pools or libraries supporting mining operations.

Could This Happen Again?

Yes, supply chain attacks are increasingly common and could happen again. Open-source ecosystems are particularly vulnerable due to:

  • High reliance on community contributions.
  • Lack of stringent code review processes for PRs.
  • Trust placed in public package repositories like PyPI, npm, or GitHub.

How to Prevent Supply Chain Attacks?

For Developers:

  • Code Review: Implement strict PR reviews, including branch names, commit history, and source verification.
  • Dependency Scanning: Use tools like Dependabot or Snyk to monitor vulnerabilities in dependencies.
  • Build Environment Security: Harden the build environment, secure CI/CD pipelines, and monitor for unauthorized changes.

For Users:

  • Verify Packages: Only download from verified, trusted sources. Verify hashes/signatures if provided.
  • Use Sandboxing: Run untrusted code in isolated environments.
  • Perform Audits: Regularly audit and update dependencies to avoid lingering vulnerabilities.

How Can Warden & CNAPP Stop Threats Like This?

Warden:

  • Default Deny: Blocks unauthorized processes like XMRig by default, preventing cryptominers from running even if introduced via compromised code.
  • Kernel API Virtualization: Prevents malicious actors from exploiting system resources by controlling access to sensitive kernel functions used by cryptominers.
  • Behavioral Analytics: Detects anomalous activities (e.g., high CPU/GPU usage typical of cryptominers) in real time.

CNAPP (Cloud Native Application Protection Platform):

  • Secure CI/CD Pipelines: Monitors code integrity from PR submissions to build deployment, flagging malicious injections.
  • Runtime Protection: Identifies and mitigates cryptomining attempts in cloud environments like Google Colab or AWS.
  • Dependency Mapping: Tracks software dependencies to detect and block compromised packages during runtime.

What Threat Actor(s) Do We Think Did This?

The attack’s origin points to a user from Hong Kong, but attribution is speculative. Key characteristics:

  • Motivation: Likely financially driven (cryptomining is a monetizable activity).
  • Tactics: Use of open-source vulnerabilities and subtle PR injections indicates moderate sophistication.
  • Possibly a Smaller Group: No signs of advanced nation-state tactics; this aligns more with cybercriminal groups specializing in opportunistic attacks.

What Is the Impact on the Cryptoverse?

  1. Erosion of Trust:
  • Open-source software trust is undermined, leading to hesitation in adopting decentralized and collaborative tools.

2. Economic Impact:

  • Cryptomining pools like Monero (XMR) face negative publicity, potentially affecting adoption rates.

3. Heightened Security Standards:

  • Crypto-focused industries and developers will need to increase scrutiny of dependencies, diverting resources to security rather than innovation.

Anything Else We Need to Know?

  • Industry-Wide Implications: This attack demonstrates that even well-respected projects are at risk, urging broader adoption of supply chain security best practices.
  • Potential for Data Breaches: If malicious code also exfiltrated private user data, the scope of the compromise could extend beyond cryptomining.
  • Call for Action: Developers and organizations must act quickly to mitigate risks, including security audits, user education, and implementation of advanced monitoring solutions like Warden and CNAPP.

Thanks for getting this far in our article. Don’t forget that you can vote up to 50-times a day for your favorite articles on Medium. We accept more than 1-vote, as it helps us spread the Cybersecurity insights into Crypto. The more people that see this information, the more people we can help. We should share information about criminals and scammers to help protect each other, just like we pick up stray trash and put it in the trash can.

Further Resources about Cyber Strategy Institute:

If interested in other analysis, checkout our other Medium articles, our Indpeth Analysis Articles and for more of a daily understanding of the Cryptoverse follow our Twitter account. Relying on a dying Cybersecurity model is not a foundation for success; that is what Warden changes for the good!

Warden

It is designed leveraging a Zero Trust model, stopping all known bad and unknown malicious threats. This starts by defending at the kernel level, so that any software does not know it’s been placed into a sandbox. We call this the “Inception Protection” model, which will not allow any program to impact your systems. No other system can do this on the market today. Protect your digital life, your families or your organization today with Warden!

If you want a 50% Discount on your purchase, then sign up for our newsletter, and we will send you the code for your support. Just reply to your first email saying you would like a discount.

Cyber Strategy Institute

Medium: https://cyberstrategy1.medium.com/

Twitter: https://twitter.com/CyberStrategy1

X: https://x.com/Warden_Secure

Website: https://cyberstrategyinstitute.com

Protect Yourself, Family or Business Today with Warden!

https://cyberstrategyinstitute.com/personal-protection-warden

Supply Chain Attack
Crypto
Crypto Miner
Web3
Cybersecurity

--

--

Cyber Strategy Institute
Cyber Strategy Institute

Written by Cyber Strategy Institute

75 Followers
52 Following

Crypto Security Truths - Scam Hunter, ZeroTrust Endpoint Defense & writing about all things Crypto Security. Stay up-to-date on latest Threats by following us!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams