#[SECURITY] Supply Chain Attack via CI compile, invokeai as a distribution for malicious interpreter

1 messages · Page 1 of 1 (latest)

tawny rose
#

High confidence indicators of compromise:

  1. File location:
    C:\Users[Redacted]\AppData\Roaming\uv\python\cpython-3.12.9-windows-x86_64-none\python.exe
  2. SHA256:
    22D4C91325660C46C242F0D66D2FF34FF7B65DAD7E17277E0535796B018446F0
  3. Authenticode:
    Not signed. Official CPython binaries are signed.
  4. AV detections observed:
    Kaspersky: Trojan-PSW.MSIL.Stealer
    McAfee: Artemis!F111A311D45A
    BitDefender: Gen:Variant.Lazy.84273
    ESET: MSIL/Spy.Agent.DFO
    Symantec: Trojan.Gen.2
  5. Resources:
    20+ embedded .ico resources inside python.exe. This is atypical for legitimate interpreters and consistent with a packed or tampered binary.
  6. Build provenance artifact:
    Embedded PDB path references the default Windows GitHub Actions account “runneradmin,” indicating CI compiled origin rather than an official release build.
  7. Network and host behavior observed:
    • Outbound beacon attempts to Microsoft owned domains.
    • Local lateral movement indicators including an attempted connection to 192.168.0.20.
    • RPC binding activity on port 135. ESET terminated a PowerShell process that was sending malicious content over localhost toward the internal network.
    • Browser targeting: droppers wrote .ico payloads into Firefox cache under AppData. This appears designed to stage execution through cached icon loads.
    • Widespread contamination: every .pycache and .venv directory that executed with the trojanized interpreter showed modification.
    • One GUID named artifact was quarantined by ESET but could not be deleted on first attempt.
#

Environment notes:

  • Windows 11 host.
  • Trigger was the InvokeAI update path that fetches uv and then a Python runtime. The affected session was subsequently taken fully offline for analysis.

Minimal steps to reproduce for your team:

  1. Run the InvokeAI updater that invokes uv to provision Python.
  2. Inspect the resulting python.exe in the uv managed path shown above.
  3. Verify absence of a valid Authenticode signature.
  4. Compute SHA256 and compare with the hash provided here.
  5. Inspect file resources for abnormal .ico count.
  6. Extract strings or PDB data to confirm “runneradmin” provenance.
  7. Execute in a contained environment and observe network attempts, RPC activity on 135, and writes into %AppData%\Mozilla\Firefox\Profiles[...]\cache folders. Also observe writes across local .pycache and active .venv directories.
gentle otter
#

@tawny rose possibly related?

#creator-chat-archived message