Recently, the popular ComfyUI community plugin Impact-Pack has been reported to have a serious security vulnerability, leading to the injection of a cryptocurrency mining virus into its dependency Ultralytics package (versions 8.3.41 and 8.3.42) by hackers.
Since Impact-Pack is a plugin that almost every user installs, many people may have been affected. The virus automatically downloads and executes malicious programs through a modified Ultralytics package, connecting to a suspicious mining pool address (connect.consrensys.com:8080) for mining operations. The virus runs quietly in the background, consuming significant system resources, and it can automatically delete its executable files to evade detection.
Currently, it is unclear how the hackers carried out the attack, and there is no clear evidence that other packages have been similarly compromised. Some developers suspect that this incident may be related to an insider leak. Fortunately, this vulnerability only affects the Ultralytics package on PyPI (the official Python package repository). Users can choose to install the dependency directly from GitHub or use the fixed 8.3.43 version to ensure system security.
Given the stealthy nature of this vulnerability, officials have advised all affected users to immediately uninstall the problematic plugin and dependency packages and conduct a system security scan to ensure that malicious files are removed. Additionally, users should be cautious when selecting plugin sources and stay updated with official announcements to avoid similar attacks in the future.
Address|:https://comfyui-wiki.com/en/news/2024-12-05-comfyui-impact-pack-virus-alert#google_vignette
