Popular Python Package Becomes Crypto Miner

Рет қаралды 36,549

ThePrimeTime

Күн бұрын

Пікірлер: 113

@xl0xl0xl0 4 сағат бұрын

Ultralytics does vision-related AI stuff, so it's likely the computers infected has GPUs, possibly very powerful ones.

@IAmSamuelCharpentier 2 сағат бұрын

I went to the comment to say that! 😁😁

@JCRineau 2 сағат бұрын

This is a really good point.

@lex_darlog_fun 3 сағат бұрын

15:15 Everything told about CPUs is irrelevant. Ultralytics is a module specifically designed for ML/NN stuff, like LLMs or image generation. So, with a probability of 90%+, the final user has a GPU *and* it's probably a beefy one (maybe even a small GPU cluster) *and* the app this package is used in is intended to utilize this GPU heavily. For example, ComfyUI (one of two most popular web-UIs for StableDiffusion) had to specifically warn their users of this module being compromised.

@WhalesLoveSmash 6 сағат бұрын

Suorised this sort of thing doesn't happen more often.

@toasterenthusiast6188 6 сағат бұрын

We only know of the ones that get caught

@386enhanced 5 сағат бұрын

because it's extremely fucking obvious when crypto is being mined on your computer.

@asdfqwerty14587 5 сағат бұрын

It's pretty easy to tell when it happens, especially because it can't really do anything without an internet connection to things that it obviously shouldn't have any reason to be connecting to.

@CommanderRiker0 5 сағат бұрын

I'm very certain it does happen more often.

@hanifarroisimukhlis5989 5 сағат бұрын

It did happen often, but many are prevented/caught early due to vigilant scanning and trust mechanism. I give it roughly ever 1 week there's another NPM/PyPI exploit.

@JohannesMeyer-s5f 4 сағат бұрын

Since this is targeting ML, a lot of the machines that are going to be using this package will have GPUs, which mine at a much better rate. Additionally if the threat actor has some sort of persistence, there may be a number of machines mining for an extended period of time.

@siddhanthbhattacharyya4206 4 сағат бұрын

So if you ran ultralytics on a hosted GPU service, it's penetrated through those systems as well?

@JohannesMeyer-s5f 3 сағат бұрын

@siddhanthbhattacharyya4206 I could see that being the case

@andythedishwasher1117 5 сағат бұрын

This is what terrifies me about using CI/CD tools someone else built. I know how each step works individually, so I'd rather have control over the syntax for the whole process and know what's happening to my strings at all times. Otherwise crap like this could happen.

@TomNook. 6 сағат бұрын

This is why I never allow Dependabot to auto commit

@bosch5303 5 сағат бұрын

I hate when I see a repo with recent activity then check the commit history and see that all that happened for the past 3 years is dependabot bumping vers 💀

@black-snow Сағат бұрын

Because you fully review every new version before merge? And ofc in time to not suffer from known vulns?

@jan.tichavsky 20 минут бұрын

@@black-snow if you have high impact repo like this, of course, why wouldn't you?

@TomNook. 6 сағат бұрын

I feel sorry for all the people who have similar names to Jia Tan. Similar to all the women called Karen who are nice

@davidr2421 4 сағат бұрын

Shout-out to all the chill Hitlers out there

@JonnyJKF 5 сағат бұрын

Surprised this doesn't happen daily with NPM and Composer packages, because let's face it, 99% of us PHP and JS devs have never or almost never looked closely at the package source code.

@cowsecurity 5 сағат бұрын

This happens a lot there as well

@hanifarroisimukhlis5989 5 сағат бұрын

NPM? A lot. Composer is less popular, so not many incentive to push malicious package.

@shapelessed 5 сағат бұрын

So you don't inspect the code and postinstall scripts of every NPM module before you install it...?

@test-rj2vl 4 сағат бұрын

Of course I never look - It's my employer's project, not my project.... lol 😆

@jeremybuckets 4 сағат бұрын

@@shapelessed I’m sure you read all the Terms and Conditions too

@ethernetwink7230 5 сағат бұрын

I’ll never feel like I’m wasting time when I do machine learning from scratch again

@maaikevreugdemaker9210 2 сағат бұрын

Don't ever. Don't underestimate what innovations you can or could make doing this.

@BenjaminMaggi 2 сағат бұрын

The second hack was their fault. If you have a supply chain attack, you should immediately rotate your keys. That's common knowledge

@atom32kk 5 сағат бұрын

Never trust a software having ultra, mega, etc. in name :D

@justsomeonepassingby3838 39 минут бұрын

I'm not sure analytics is better with that reasoning

@Mykezero 3 сағат бұрын

Scary stuff, I have a healthy fear of third party dependencies and this just reinforces that. Businesses want fast turn around so we use these packages instead of building them ourselves and having control. I live in C# land and NuGet packages, but conceptually the same problem can occur. Absolutely terrifying.

@grim.heart8271 55 минут бұрын

You are wrong about CPU mining. There's crypto what you can mine with CPU (Monero). 02:17 Hilarious stuff LMAO

@mmmhorsesteaks 2 сағат бұрын

If it's called something like "ultralytics" and not "pyvision" or "pysee" or "visiPy" or something similarly modest, you know it's not built by serious people.

@oM477o 4 сағат бұрын

If it's targeting an ML library then the kind of PC's it's likely to run on are higher end workstations with GPUs

@cassell1253 5 сағат бұрын

for ultralytics most machines running it will probably have a gpu for ml acceleration

@eldarshamukhamedov4521 4 сағат бұрын

Plot twist: someone injects a crypto miner into zizmor.

@MKTV-1483 4 сағат бұрын

😂😂😂

@Arcidi225 4 сағат бұрын

Fun fact, my laptop had sleeping problems on windows. You put it to sleep, next day fans are in jet mode, and whole thing is hot af. Afaik, its normal for windows laptops, you get them to sleep, put in a bag, and soon after battery is dead because it didn't sleep and was doing some updates. On linux, this does not happen. Now, i am not saying that windows mines crypto while laptop should sleep, but... It is pretty sus if you ask me. And you wouldn't know, as it is normal behavior.

@mage3690 3 сағат бұрын

I have no idea why so many BigCorp software companies don't just let you pick when you update. Sure, there's a case to be made that far too many systems are vulnerable right now because idiots don't update their shit (and on critical infra, no less, see Low Level's vid), but make it like a once a week on-by-default option that can be completely turned off and runs on Tuesday at noon _local time_ (i.e. a cron job on the local machine that reaches out to the update server). That way you can't get globally Crowdstriked -- at worst, an entire time zone or 3 gets Crowdstriked, and there's probably a local sysadmin on the job that can roll things back quickly.

@black-snow Сағат бұрын

There was a thorough analysis of this (some intel deep sleep state issues IIRC) on tom's or something.

@persistentbake9041 29 минут бұрын

Most company’s build pipelines are shot and never really tested

@DivyanshuSinghaniaCS 6 сағат бұрын

man you need to make a series where you explain all this for who might still be i college, i use github only for projects and pushing my code, i want to learn more but learning from these sounds just much more fun, for example the way you aplauded the way the person attacked , i understood nothing, could you make a series to explain these videos on a more fundamental level and also educate about the tech used, ppplllzzzzzz, it doesent need to be every detail just the attack would also be ok to know and quench my thirst

@AI-xi4jk 3 сағат бұрын

Ulralytics should spend more time improving code and documentation rather than putting emojis everywhere they can. Really, search how to load model to multiple GPUs. You can’t and documentation is vague. But start running the model you get emojis for days. I’m not talking about other dubious decisions like installing missing packages into your environment with asking. Guys need to get a bit more serious. Good ML models though.

@HienLeGia Сағат бұрын

When a Master/PhD degree in Programming can't give you that one Lambo in your dream...

@Hex... 47 минут бұрын

You missed the key point at the end that it’s a machine learning package so very very unlikely to be used on “an average CPU” and far more likely to be on GPUs

@daliborilic5358 3 сағат бұрын

The whole of internet is held up by toothpicks and tape...

@black-snow Сағат бұрын

As is anything nowadays.

@ksk31337 5 сағат бұрын

there are coins thate cpu-only minable, eg monero Its algo is designed so a CPU is the most efffective silicon to implement it already, or so that is what I understand of it..

@elorrambasdo5233 4 сағат бұрын

It also doesn't matter if it's not "optimal". The cost is what you pay in power, which is nothing if you are using someone else's electricity

@Arcidi225 4 сағат бұрын

@@elorrambasdo5233yup. It might cost 1000 dollars of electricity to mine 5 dollars of crypto. The guy who gets this 5 bucks don't care, as he is literally stealing from you. Similar thing with cars, new cars are expensive, but thieves get 1% of this value. Guess what, they still are doing it.

@JohnLovell-FTW 5 сағат бұрын

Toothpics and Tape. FTW!

@hypermiraclepositivegirl2415 4 сағат бұрын

This is my judgement for using Python

@arshiaa104 2 сағат бұрын

VODS are back?

@tomasvanagas4957 59 минут бұрын

They installed a monero miner. Monero is mined by cpu

@LikaFif 5 сағат бұрын

Crypto insights like this are always appreciated-great work! Not fully relevant, I wanted to ask: my OKX wallet holds some USDT, and I have the seed phrase. (blood frost vague mom crop midnight innocent avoid human spin grace hurdle). How should I go about transferring them to ByBit?

@Dratchev241 3 сағат бұрын

Jia Tan is that you?

@BORNINSPACE 4 сағат бұрын

Was playing with ultralitics and see this wideo😅

@maddsua 4 сағат бұрын

Why is the bro so bouncy

@Spiker985Studios 4 сағат бұрын

He's literally sitting on an exercise ball 😅

@toshibe2805 4 сағат бұрын

@@Spiker985Studiosunf~

@TheCorruptedClan 6 сағат бұрын

So maybe i missed it but how did they find this malicious code? I heard user reporting but im wondering how someone noticed it

@antolepage26 5 сағат бұрын

From a news article: "The project maintainer, Glenn Jocher, confirmed on GitHub that the two versions were infected by malicious code injection in the PyPI deployment workflow after reports emerged that installing the library led to a drastic spike in CPU usage, a telltale sign of cryptocurrency mining."

@valentinrafael9201 5 сағат бұрын

Uhm, if someone is doing AI stuff, they will watch their god damn resources lol. Which makes it even weirder to do, because it’s a hard thing to NOT notice. CPU usage or GPU usage goes high or higher than usual, instantly goes to github issues

@TJackson736 4 сағат бұрын

@valentinrafael9201 I am surprised they didn't try to target downtime to do the mining. Hace the malicious code only mine when the computer is idle.

@m1natoh1nata Сағат бұрын

its the opposite, you make more money per kw mining with a cpu than with a GPU. There are also less crypto coins to choose from (really its only etica/ zeph and then you trade that into monero when the price goes up. making 5-10$ would only take 8-20cpus, and those few dollars today could be worth thousands in the future, now imagine you mine one month undetected , thats 6 figures potentially

@ShamanicArts 5 сағат бұрын

Its probably mining monero which is desighed to be mined on the CPU as far as i understand

@siddhanthbhattacharyya4206 4 сағат бұрын

But it's a Computer vision related package, wouldn't it go straight for the gpu?

@daylight8296 Сағат бұрын

thank goodness i hated these guys and their license rules

@mmmmfh 47 минут бұрын

gingerbill right again

@CapaciousCore 3 сағат бұрын

Man is always the weakest link in this game, I'm not surprised ¯\_(ツ)_/¯ It's just good attempt at proof of concept

@NoPegs 6 сағат бұрын

WoopWoop! =3

@charbelsarkis3567 5 сағат бұрын

Rizzmor

@gatsdev 3 сағат бұрын

why does your voice sound so bad, normally it is so cool, you good?

@tugaric 3 сағат бұрын

Lmao the guy deserves

@kurt7020 4 сағат бұрын

This is why Rust is often sketchy. Great language, but it's also very dependency hungry. A simple "idiomatic" CLI using popular crates can pull in a hundred dependencies.

@jacekleszczynski7361 6 сағат бұрын

Impressive Job to add crypto miner to Python Lib from International Company ☠

@carnap355 3 сағат бұрын

nice

@TheCorruptedClan 6 сағат бұрын

Look at me being first.

@Monster_Rancher 6 сағат бұрын

this the new poe2 channel?

@TheCorruptedClan 6 сағат бұрын

@Monster_Rancher no idea what that is

@Monster_Rancher Сағат бұрын

@@TheCorruptedClan ment poe2* cuz he playen poe2 all day.

@JG-nm9zk Сағат бұрын

its not numpy. Don't care.

@charbelsarkis3567 5 сағат бұрын

You play age of empires

@Roricsseal Сағат бұрын

Crypto is cringe.

@NotMarkKnopfler 4 сағат бұрын

Meh. Who cares. Python is a toy! 🏴‍☠

@danielmelo389 6 сағат бұрын

Python is 💩💩💩

@fus3n 5 сағат бұрын

☝🤓

@putnam120 5 сағат бұрын

Why

@yalnisinfo 5 сағат бұрын

it is just another tool bro yeah sure you can use a dedicated screwdriver with most capabilities but sometimes your hand is easier to manage to screw the screw 😂

@danielmelo389 4 сағат бұрын

@putnam120 Maybe is just me, I hate it everytime I'm assigned to fix some product and see try: 1000 lines except: 300 lines, including other tries, excepts, and tries and excepts, and tries, and excepts.... and the interpreter says "all good to me" ready to ship, but then when you want to use a constant or a global value is all considered war crimes, even enums in python are 💩

@putnam120 4 сағат бұрын

@danielmelo389 this seems like an issue with how someone wrote the code. And sure the option on enums is a valid language level complaint.