LLM03:2025Supply Chain
Slide 10 of 29
Part 2 · TypesSlide 10
Slide 10 · Attack Type 2 of 6 — Poisoned Build Pipeline
Don't poison the package. Poison the machine that builds it.
Confirmed Incident · Dec 4–7, 2024 · Documented by PyPI & ReversingLabs
Ultralytics YOLO — Compromised CI/CD Ships a Cryptominer
No CVE · Root cause: GitHub Actions script injection · Affected v8.3.41, 8.3.42, 8.3.45, 8.3.46

The target: Ultralytics ships YOLO, one of the most widely used computer-vision libraries — millions of downloads.

The attack: the attacker didn't touch the source code. They opened pull requests whose branch names carried a malicious payload, exploiting a GitHub Actions script-injection flaw in the project's build workflow. The poisoned CI then injected code straight into the official release after review, before it was published to PyPI.

The payload: an XMRig cryptominer that mined Monero on every machine that installed the trusted package. Bad versions sat live on PyPI for hours.

Takeaway: the code on GitHub looked clean and the maintainers were legitimate. The compromise lived in the build pipeline — a part of the supply chain almost no consumer audits.
The Defense This Would Have Stopped

Signed builds and reproducible release verification (Part 4): if the published artifact must match a signed, attested build, a pipeline that silently adds a miner produces a signature that doesn't check out.

← BackNext → When the model file is the weapon
📄 View sources for this lesson