A crypto-mining malware attack has been identified in certain versions of the Ultralytics ComfyUI pip package, potentially affecting users on Mac and Linux. The compromised versions, v8.3.41 and v8.3.42, have been found to download and execute a malicious binary on these systems, while Windows users remain unaffected.
What Happened?
The malware downloads a binary file named ultralytics_runner
to the /tmp/
directory on Mac and Linux machines, which then executes unauthorized cryptocurrency mining. The issue was first flagged during the use of ComfyUI in conjunction with the ComfyUI-Impact-Pack extension, where suspicious behavior linked to the Ultralytics package was detected.
A deeper analysis revealed the malicious code in the downloads.py
file located within the directory:C:\Users\######\AppData\Roaming\Python\Python312\site-packages\ultralytics\uti
This malicious version of the Ultralytics package may have been automatically installed as a dependency of the ComfyUI-Impact-Pack.
How to Remove the Malware
To mitigate the threat:
- Terminate the Process: Kill the
/tmp/ultralytics_runner
process if it is running. - Delete the File: Remove the binary file from
/tmp/
. - Uninstall Compromised Versions: Ensure you uninstall versions v8.3.41 and v8.3.42 of the Ultralytics pip package.
While the attack appears to be relatively low-sophistication, users are advised to remain vigilant and verify their systems are clean.
What’s Next?
If you’ve been affected or suspect unauthorized mining on your system, it’s essential to:
- Reinstall trusted versions of the package.
- Monitor system resources for unusual activity.
- Stay updated on security patches and advisories for open-source software.
The incident highlights the importance of reviewing dependencies in open-source tools, especially when downloading third-party extensions.
read more here : https://blog.comfy.org/comfyui-statement-on-the-ultralytics-crypto-miner-situation/