https://github.com/ultralytics/ultralytics/issues/18027
Supppy chain attack to add a cryptominer in a python package using a shell command in the git branch name against a vulnerable CI pipeline.
Supppy chain attack to add a cryptominer in a python package using a shell command in the git branch name against a vulnerable CI pipeline.
Comments
https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection
Ultimately, it is ridiculously hard to build a secure workflow that runs against code from an untrusted source (pull_request_target considered dangerous).