Ultralytics PyPI releases shipped cryptominer

The Ultralytics attack began in CI, not in PyPI. The project used a pull_request_target workflow and passed a privileged token into a custom action. That action then evaluated a user-controlled branch name inside a shell command.

The attacker named the branch as a command substitution. When the workflow ran, the branch name fetched and executed a remote shell script from GitHub, turning formatting automation into code execution on a privileged runner.

The attacker used that path to publish compromised PyPI releases. Versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46 carried cryptomining changes, while the public repository did not contain matching malicious source. The package still looked like a normal computer-vision library release to downstream users.

The project cleaned up the releases and GitHub published GHSA-32hc-9xrg-cc9g. The durable lesson is simple: pull_request_target can be safe only when untrusted fork input is kept out of privileged execution.

Motive

Financial Gain

Attribution

Person

Cause

Gha Vulnerability

Transitive

No

Actor

Individual Hacker

• The Ultralytics Supply Chain Attack: How It Happened, How to Preventlegitsecurity.com
• Ultralytics AI Supply Chain Attacksafetycli.com
• PyPI package compromisedgithub.com
• Ultralytics PyPI package compromisegithub.com