Ultralytics Suffers Supply Chain Attack: A PyPI Security Incident Analysis
The Python project Ultralytics recently suffered a supply chain attack. Attackers compromised the project's GitHub Actions workflows and stole a PyPI API token, resulting in tainted versions 8.3.41, 8.3.42, 8.3.45, and 8.3.46. The attack didn't exploit a PyPI vulnerability but targeted the GitHub Actions cache. PyPI, leveraging Trusted Publishing and Sigstore transparency logs, quickly identified and removed the malicious software. The incident highlighted shortcomings in API token and GitHub environment configurations. The article stresses securing software forges and build/publish workflows, providing developers with security recommendations: using Trusted Publishers, locking dependencies, avoiding insecure patterns, and enabling multi-factor authentication.