Visual Open Source AI Reasoning Library YOLOv11 Infested With Supply Chain

TechTarget published a blog post on December 6, reporting that Ultralytics’ YOLOv11 AI model suffered a supply chain attack, and versions v8.3.41 and v8.3.42 were implanted with crypto mining software.

As of the time of writing, Ultralytics has not issued a formal security announcement, but the company has responded quickly, removed two affected versions and released a new version.

The issue was first discovered by developer Metrizable, who found the poisoned code while comparing the Ultralytics PyPI package and the GitHub repository and reported the suspicious activity in a GitHub post.

Another developer named “Skillnoob” (who appears to be affiliated with Ultralytics) responded to the reports and urged users to uninstall version v8.3.41, confirmed that the PyPI package had been compromised, and confirmed that version v8.3.42 was also found to have the same problem.

Ultralytics has removed versions v8.3.41 and v8.3.42 from PyPI and confirmed that v8.3.40 and earlier are safe.

Ultralytics CEO Glenn Jocher said the problem stemmed from malicious code injection in the Pypi deployment workflow, and confirmed that automatic deployment has been suspended for investigation.

Ultralytics released YOLO v8.3.43 and v8.3.44, claiming the issue had been resolved, but did not publicly describe the attack.

Introduction to Ultralytics YOLO AI Model

Ultralytics YOLO is an advanced visual AI model developed by Ultralytics. It is efficient and easy to use for professionals in the fields of computer vision and machine learning to help create accurate object detection models.

YOLO (You Only Look Once) is a real-time object detection system. Ultralytics has developed a series of YOLO models based on it, including YOLOv5, YOLOv8 and the latest YOLOv11, continuously improving its performance and functionality.