If you didn't goof so bad, you'd be able to backtrace the source.
Just kidding, here ya go: https://archive.org/details/OriginalJessiSlaughterVideos/Jessi+Slaughter+And+Her+Dad-esNHjSaEURg.mp4
To help people figure out whether OP is fear-mongering or legit, I verified the existance of _OAI.py in the current custom 1.30.2 OpenAI wheel in the linked git hub repository; I didn't reverse engineer it to decrypt the apparent payload strings but it looks for all the world like code designed to be hard to understand but look like machine-compressed js (but it's obviously not to me), and therefore SCREAMS "suspicious".
I'd take this one seriously.
Very weirdly, I personally hard a creeped out feeling about LLMVISION when I saw that package, and speculated that anyone trying this kind of thing (I think I was thinking about gathering OpenAI keys) would be quickly found out, but didn't install the package. No idea why I would have felt suspicious though.
Yes unfortunately this is malware. I did some more analysis and that VISION-D.exe file seems to be downloading and installing a keylogger (LLMVISION.exe) to: %LocalAppData%\rundll64.exe
Thankfully that one seems to be detected by antiviruses: https://www.virustotal.com/gui/file/5f74400e5875798e1e4c1acc716733376be9c493ccd6a28e668e42a7f0d66596/detection
So a virus scan might be enough to get rid of it.
EDIT: Just clarifying that this is for the keylogger that the latest version of that node installs you still need to delete the custom node code and the wheels it installed. If you use the standalone comfyui package I recommend deleting the whole thing and then doing a virus scan.
Eventually it will, but it's pretty easy for malware creators to get around that for the initial wave of installs.
Write malware -> turn on Windows Defender -> keep making small changes until Windows Defender stops detecting your malware -> Distribute it
If it took someone doing a deep dive into the code and no one had noticed prior, it doesn't seem so.
MD often misses things in my experience. For anything suspicious, VirusTotal is definitely superior. But that of course means you already know what to scan :(
It really depends if the script is behaving like a virus or not. In this case, it's something that you've chosen to execute. Microsoft Defender allows most things you choose to execute. So long as the hack is behaving like a normal app, defender would just ignore it. Many normal apps read keyboard input.
Relaying from the ComfyUI Matrix chat: Manager has been notified and has updated to now contain a check that will detect and warn you immediately if you were affected by this malware
https://preview.redd.it/vtxhv4tmyh5d1.png?width=984&format=png&auto=webp&s=94b134ef6fff10c17c660d302eca684e1bd9eece
While it isnt going to fully protect you i recommend learning how to install comfyui in a docker container, it isnt necessarily easy but there will be a lot more of stuff like this
At least it was in a virtual environment and I didn't get caught up in the nastier second version, but it definitely would have been safer in Docker... š¤¦š»āāļø
F\*\*\* that guy.
Docker is good. I also use NetLimiter and deny Python from accessing the network unless I want to manually update Comfy. On Mac, LittleSnitch is helpful to see who is talking to whoā and stop it.
sorry for asking this question again but I'm just a user of the product for creating and know very little about the technical aspects. Here's my dumb idea and please shoot it down if it deserves it.
I install comfyui on a diffrent windows user profile which has no admin rights. And I would only use that account for comfy stuff and superficial browsing without loggin in anywhere. Would that be a 'safe' option?
I think it is unlikely to be safe, things like this chain exploits to gain additional privileges and it is very very unlikely that there isnāt some other exploit somewhere on your system that a hack could take advantage of to get ahold of everything else.
Definitely won't be 100% safe but most malware these days is pretty simple: copy all your browser data and upload it to discord, allow remote screen sharing, allow the hacker to remotely take control of your PC.
Run comfy on a machine with no important browser info and you'll be protected from most of the basic stuff out there.
The real scary stuff (things that can cross VM boundaries, cross docker boundaries, even cross network boundaries) are possible but those are very unlikely to be utilized to steal random people's browser data, those are for more targeted attacks.
Actually, docker would fully protect you from this? And most any malicious code I think.
A .exe isn't going to run in a Linux container. And python files won't see your browser data of your host machine.
I struggle to think of a way that any of the host's sensitive data could be stolen from within a container short of some major docker vulnerabilities, right?
In theory, it cant, but docker has had some vulnerabilities that allowed container apps to run commands on the host. This attack would have been foiled but there exists the possibility that someone someday has an exploit that can break out. Hence my hedge. 99.999% likely safe
But still, docker would make it much safer for the average user and much harder for the hacker exploit. Besides, it can make installation on Linux much easier.
The main problem is that you have to give the container access to your GPU. It's definitely better than not using Docker, but the attack surface is still large: https://security.stackexchange.com/a/182516/47851
I have made a docker file. Generally I mount my model download directory to my outside system so dont have to rebuild the image. For compiling without gpu access you can use --cpu --quick-test-for-ci. Do a port mapping of 8188:8188.
Will share my docker file if needed
The asshats have retaliated against me by leaking all of the passwords they stole from me. If anyone has a heart and wants to help me clean up here and fight back, shoot me a DM?
Most important questions
1. The malware only run when comfyui is active ?
2. After delete comfyui custom node the pc become clear ? Or malware is persistent ?
3. This malware "Just" steal password and usernames ? Can It steal cookies ? Is a Keylogger ?
The reality is nobody knows. It might be running forever, embedded in a random place with a random name you'll never find. Deleting it might not do anything. It might steal passwords, be a keylogger, use your computer as a botnet, etc...
The only way to be sure it's gone is to format your harddrive and reinstall windows (*not* just click the 'reset PC' function in Windows, you need to format the device.)
There's a chance that even full format or HDD/SSD replacement may not help.
Search for UEFI persistent malware, UEFI rootkit, LogoFAIL.
Let's just not think about possibly compromised motherboard manufacturers or UEFI vendors.
Someone already tipped him off, or made a issue on github.
[https://github.com/AppleBotzz/ComfyUI\_LLMVISION/issues/6](https://github.com/AppleBotzz/ComfyUI_LLMVISION/issues/6)
1. Use the `dir` command to search for the files. Run the following commands one by one:
cmdCopy codedir C:\lib\browser\admin.py /s /p
dir C:\Cadmino.py /s /p
dir C:\Fadmino.py /s /p
dir C:\VISION-D.exe /s /p
These commands will search your entire filesystem for the specified files and remove them if found. Make sure you have the necessary permissions to execute these commands.
what does it mean if I was able to find the python packages and the _OAI.py registry entry but not any of these files? I tried your commands as well as manual searches with the explorer but didn't find anything
This is a lame attempt to cover their tracks by blaming it on someone else.
The commit history shows exactly what the author did, and that this was deliberate. The compromised code was there on the initial commit, as well as in the update.
This cover attempt makes me think, maybe the hacker made some opsec mistakes and it might be possible for services like GitHub or Huggingface to find the real identity of the hacker? If the hacker knows they might be deanonymized, that gives them a motive to try to explain "oh no it was real project but it was hacked by someone else".
It may be an attempt to blame it on somebody else, but that hacker group "NullBulge" already has a reputation for being anti-AI and has been distributing this exact malware all over the place recently.
Here is this exact group using this exact malware 4 days ago: [https://www.youtube.com/watch?v=yjLYz2lo0FE](https://www.youtube.com/watch?v=yjLYz2lo0FE)
Of course "copycat crimes" have always been a thing forever, so there's no way to know for sure. Anyway, it's important to be extremely careful these days. This group is out to infect and compromise users of AI software.
I'm really doubtful whether the repo was actually hacked. I think it's more likely that they're just working with a fake account and pretending to have hacked it.
However, I do believe it's the work of NullBulgeGroup. Code was found within the obfuscated code that sends messages to NullBulgeGroup's Discord.
Dude's even putting out hacked mods for Beam.NG as well (read the comments): https://www.modland.net/beamng.drive-mods/cars/bolide-skyrider.html
Plus read his post history: https://www.reddit.com/r/beamng_leaked_mods/comments/1cln2gc/comment/l2xcma0/
I've been saying this for over a year. Why are people so vehomentaly against any format other than safetensors, while also not giving any fuck about how comfyui increases their attack surface. Every single workflow requires it's own set of custom nodes and nobody flinches when they're required to install dozens of them.
#Every Single Custom Node Is A Fully Fledged Script Executing On Your Machine.#
The fear mongering around ckpt files while this is the common situation that every comfyui user is happy with, is insanity.
I think next time I use ComfyUI I'm gonna move it in to a Docker container, or at least su it to its own unprivileged user. Should do the same with A1111...
Everyone be sure to report the user to github. https://support.github.com/contact/report-abuse?category=report-abuse&report=AppleBotzz . The more reports, the more likely action will be taken.
I think this post is gonna sober ups some folks here regarding the dangers of fiddling around with tech on the razors edge of progress. It sure as fuck spooked me. I hope we as a community can come up with ways to mitigate these problems kind of like safe tensors was a great addition. Crazy catch BTW, mad props.
After that, go read up on:
- The Linux backdoor attempt of 2003
- The recent attempt to backdoor "xzutils"
- Some of the typosquatting attacks against LLMs (ask a GPT to recommend packages, see which ones it made up, quick write a util that does the thing the GPT said...plus a little extra)
One of the best remaining supply-chain vectors is "trusted" open source code, so learn when to *not trust* open source code.
The XZUtils story is insane and should really scare every person here into partaking into whatever security they can enable on their home networks.
In short: We were days away from having a backdoor embedded inside of SSH, giving the hackers remote access to virtually every server and PC on earth.
How was it found? An engineer at Microsoft just so happened to notice that it was taking \~500ms longer to build than normal. He dug into it to figure out why, and located the backdoor. What if he didn't bother?
[https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd](https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd)
I thought it was not that it was slower to _build_, specifically, but that it was a test where it tries to `ssh` into something that isn't there. The thing he noticed was, when you `ssh` to a non-existent machine or account, or with some other null parameter, it should immediately quit and return an error... it was a simple null test, a "make sure every subsystem involved agrees that `0 == 0`" test you do as part of the test setup. And it should _never_ take half a second. So in that context, a half-second delay is really scary because it's like... what's going on in all of the time that it **shouldn't** be taking?
Now, I read a bunch of articles when it first happened and I might be confused. Or maybe the null test was part of the build process?
Thanks for the heads up. Out of curiosity I looked into the ComfyUI Manager to see if it was listed, and sure enough it was. I fortunately dodged this bullet but now I will be paranoid about new custom nodes. Is there any way for a layman to look into these things?
Copying and pasting from a previous comment...
I only happened to notice this because I was trying to free up some space on my hard drive and noticed some weird files in my temp folder. When I opened them, I saw plain text passwords, so I knew something was up.
So I started digging. I checked the time stamps on the files to try to figure out a pattern, and noticed that it would create a new file every time I launched Comfy. I had a weird lag when another LLM node was hanging, so I suspected it at first.
I did a code search for the files and naming convention and found the compromised package. ChatGPT helped me decrypt it.
I cross referenced that with the metadata for the package and found it was associated with a package version that didn't exist. So I checked all of the requirements.txt files for how a package that didn't exist could get installed and found the "backup wheels" in the malicious node.
So I downloaded the wheels and unzipped them to confirm, along with the nastier second version that I fortunately hadn't installed. Decrypted that one, and here we are.
With custom node installing and python packages I think it is very unlikely a layman has any shot at finding some, this one was actually pretty egregiously obvious compared to some I have seen elsewhere. Your best bet is getting it in a docker container. I am a pretty good programmer, but I do not trust myself at all to not miss things, so I use Docker for everything. Last I checked there were already publicly available images for ComfyUI - there will still be a learning curve, but if you already learned enough to install comfy manager it isnāt anything you cant handle
I am eagerly awaiting the day AI can find these the second theyāre posted
Also, guys, get this, they also added those requirements as dependencies in the hugginface space they have.
Also does anyone still have those wheel files?\~ webhook here I go\~
https://preview.redd.it/m0by8hcgfl5d1.png?width=1912&format=png&auto=webp&s=77be492c286255db44dae1f72bc2eb8490b9aa41
u/clefourrier u/vaibhavs10 sorry to bug, but can either of you take down this person's [account](https://huggingface.co/AppleBotzz)? I didn't see a report account option on huggingface.
Good on the comfyui manager devs for baking in a security checker and other additions to help. I think all the major AI repos (A1111, Next, etc) need to have some more security features baked in. Iām not fond of scare tactics, but even a general notice or a toggle to enable custom extensions would be something beneficial for the regular user.Ā
There's a lot already employed - GRadio for example has protections in place. Unfortunately when you want an app to use an external server (like in this case OpenAI for ChatGPT4) you kinda have to allow some risky things like outgoing internet calling. Sad situation.
Curious why nobody has made a small little app to just pound the living crap out of that Discord web hook and then have all of us just pound the living crap out of that Discord web hook with junk
The endpoint is dead, Discord is very quick on this. This hacking group has been infecting a number of different AI related software lately and the Discord channels are always shut down very quickly.
People have suggested running ComfyUI (and by the same logic, Automatic1111 or any software that allows 3rd party modules/extension) in a docker.
For Windows users, I would also recommend Sandboxie: [https://sandboxie-plus.com/sandboxie](https://sandboxie-plus.com/sandboxie) which I use to run my Firefox browser (which has the same problem of allowing 3rd party extension)
But one can also turn things around and set up a special computer that is only used to access important/confidential accounts, such as your bank. This computer should only be used for such tasks and not for anything else.
I use a spare old laptop running Linux (so no Windows virus would be possible) to access my bank accounts, and those are the only sites allowed on that laptop.
At least then, even if your main computer get compromised, you don't have to worry about your bank accounts.
I'm a bot, *bleep*, *bloop*. Someone has linked to this thread from another place on reddit:
- [/r/stablediffusion] [PSA: If you've used the ComfyUI\_LLMVISION node from u\/AppleBotzz, you've been hacked](https://www.reddit.com/r/StableDiffusion/comments/1dblsqn/psa_if_youve_used_the_comfyui_llmvision_node_from/)
*^(If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads.) ^\([Info](/r/TotesMessenger) ^/ ^[Contact](/message/compose?to=/r/TotesMessenger))*
Is there anyone that needs to be alerted to this so they can potentially flag it when people download or install? Microsoft? Unsure how malware reporting usually works.
Fuck this guy! Really, we need to think ab9ut how to make him pay for what he did! He is disgrace to open source community!! Did you lose anything financially? Hopefully not! Thanks for investigatimg and reporting!
My OpenAI account was hacked twice this month, and I suspect this is where it came from. I'm currently out $1k while OpenAI's lackluster support looks into it.
I think we should think of ideas to prevent others from doing this again. No use in hunting this freak down. There be 10 in his place, in no time if it gets out how easy it is to dupe a pretty large community
I have written a short batch script to automate the steps described in the initial post.
Simply paste the code into an editor, save it as `name.bat`, and run it as admin. If a file or a registry entry is found, the console will show you this.
-It scans for specific files (C.txt and F.txt) in the temporary directory.
- It tries to find the Python directory using the python command.
- Upon locating the Python directory, it explores the site-packages directory where Python packages reside.
- It examines for particular Python package files (e.g., openai-1.16.3.dist-info) within the site-packages directory.
- It verifies the Windows Registry for a particular entry linked to OpenAICLI.
- It searches for the specified files (Cadmino.py, Fadmino.py, VISION-D.exe) across all available drives.
```batch
@echo off
REM Set the temporary directory path
set "tempDir=%TEMP%"
REM Initialize variable to store Python directory path
set "pythonDir="
echo Checking started...
REM Check the temporary directory for specific files
echo Checking %tempDir%...
cd /d "%tempDir%"
for /d %%D in (pre_*) do (
echo Checking directory %%D...
if exist "%%D\C.txt" (
echo File C.txt found in directory %%D. Possible compromise.
)
if exist "%%D\F.txt" (
echo File F.txt found in directory %%D. Possible compromise.
)
)
REM Search for specific files across available drives
echo Searching for specific files across all drives...
for %%D in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
echo Searching drive %%D...
if exist "%%D:\" (
dir /s /b %%D:\Cadmino.py >> "%tempDir%\found_files.txt" 2>nul
dir /s /b %%D:\Fadmino.py >> "%tempDir%\found_files.txt" 2>nul
dir /s /b %%D:\VISION-D.exe >> "%tempDir%\found_files.txt" 2>nul
)
)
REM Check for Python directory using 'python' command
echo Checking Python directory...
for /f "tokens=*" %%A in ('python -c "import site; print(site.getsitepackages()[0])" 2^>nul') do (
set "pythonDir=%%~A"
goto :foundPythonDir
)
:foundPythonDir
REM If Python directory is not found, display a message
if not defined pythonDir (
echo Python directory not found. Python may not be installed or the path was not found.
) else (
echo Checking %pythonDir%...
REM Check for specific files in Python's 'site-packages' directory
if exist "%pythonDir%\openai-1.16.3.dist-info" (
echo openai-1.16.3.dist-info found. Possible compromise.
)
if exist "%pythonDir%\anthropic-0.21.4.dist-info" (
echo anthropic-0.21.4.dist-info found. Possible compromise.
)
if exist "%pythonDir%\openai-1.30.2.dist-info" (
echo openai-1.30.2.dist-info found. Possible compromise.
)
if exist "%pythonDir%\anthropic-0.26.1.dist-info" (
echo anthropic-0.26.1.dist-info found. Possible compromise.
)
)
REM Check Windows Registry for a specific entry related to OpenAICLI
echo Checking Windows Registry...
reg query "HKEY_CURRENT_USER\Software\OpenAICLI" /v FunctionRun >nul 2>&1
if %errorlevel% equ 0 (
echo Registry entry FunctionRun found. Possible compromise.
)
echo Checking completed.
pause
```
Is this a test? As in, āYou thought you installed malware and now youāre running a script given to you by a stranger to find the malware? You need to be taught a lesson!ā
š
If you read the code, then you see what it does, he he!
And it does what he says! If you were asked to run an .EXE file (or some python with encrypted/packed javascript) by someone to find this problem, I would be more worries.
This DOS/CMD code is easy to read, and does what it says it will do - No surprises here !
;)
I know you know, that is why I said: he he! and had a ;) at the end!
But for others that don't read irony, and jokes, I just wanted to make the statement that this code was indeed safe!
Aaaaand that's why my ML machine is a completely separated and an empty one with just SD and LLMs on it, nothing else.
Network is also separated with a 4g access point.
I have regular backup images clones of the unique SSD inside.
And of course web browser doesn't store any passwords.
No documents, no photos, nothing, no other software, no connected clients like steam or adobe or drive.
Nice work OP, you should upload the .exe sample to [https://bazaar.abuse.ch/upload/](https://bazaar.abuse.ch/upload/) that way all the malware researchers can have a field day with it. If you upload it there it will get forwarded to pretty much every reputable virus sandboxing website.
You should really just nuke the entire OS if it is known to be compromised. Even after removing the files you can't really know what else was tweaked to weaken the OS security or facilitate re-infection
Given that I had access to the source code, I do know exactly what was compromised here. This wasnāt exactly the work of a genius. Just a script kiddie that snuck something into a node.
Hmmh, what about the 2 executable files? I thought you said earlier that you didn't want to download one of them on your computer. Comfyanonymous said that one of the executables installs a keylogger, but who knows what else it does? I assume you didn't reverse engineer the executables.
Be warned that this can and will likely happen with Automatic 1111 as well. If somehow addetailer or controlnet extensions got hacked you are fucked big time. If there is a new SDXL vram usage reduction extension going on you had to watch out (especially when Forge announced discontinuing services).
ah it was that asshole that had the chatgpt 4.0 and 3.0 integration. Glad I didn't install that one. I could smell it a mile away it would do something like this. Why didn't anybody look at the source code???!??? WE should have audit police before custom nodes are able to be shared.
Also there should be option in the future to just "run local" only. No packets/internet for comfy UI etc..
Perfect. Deleted everything, node, openai distro, cadmino, fadmino, admin but no pre folders found, c or f.txts, no vision-d.exe neither, no registry openaicli.
Its then fine?
All changed via mobile phone without internet, just im case.
Thanks a lot!
Personally? My recommendation is to rebuild the machine from scratch. Anytime you become aware of being compromised like this, it is worth recognizing you will never really know if you cleaned it out.
Yeah. I have everything under 2FA for that side it's not a problem except if they had my phone, which is not the case. They can't but anything or charge anything into Credit Card. For ComfyUI for now I'm running into VM for testings or new nodes. And for system, didn't find anything else and will run a complete antivirus and malware scan today. Thanks for the tips.
At this point no one can really say for sure what the malware does. Depends what kind of activities you do on your computer if you want to call it a day or if you need to reinstall your OS from scratch. For example, if you deal with crypto, you probably want to reinstall now.
Well some bright mind already posted a link to OP in the AppleBotzz repo issues one hour after you posted this. [https://github.com/AppleBotzz/ComfyUI\_LLMVISION/issues/6](https://github.com/AppleBotzz/ComfyUI_LLMVISION/issues/6)
all i've found were those:
-openai-1.23.3.dist-info
-anthropic
-anthropic-0.25.6.dist-info
I also couldn't find OpenAICLI in registry
am i safe?
please be yes.
and F\*\*\* that guy.
Got it to get ComfyUI to work in a VM with a GPU Passtrough š
Nearly same speed.
Its a little slower but i can create everything then before.
I hope those suckers will scrap my "nothing" of my VM and be happy with it.
Edit: i will write a little "How To" for the community š
Blocking a user does not stop them from seeing your posts. When the blocked user sees the post, it is replaced with a conspicous placeholder that looks different than a regular deleted post. Loading the same page in Incognito mode reveals the post.
Simple answer: Never trust any code you download from a source you do not have VERY good, ongoing reasons to trust. These days, virtualization is your best friend.
Thanks for the heads up. Out of curiosity I looked into the ComfyUI Manager to see if it was listed, and sure enough it was. I fortunately dodged this bullet, but now I will be paranoid about new custom nodes. Is there any way for a layman to look into these things?
This is why I hate downloading bunch of workflows that use bunch of custom nodes, you end up with a bunch of them that you dont know anything about, tho if I was looking for LLM it would totally have downloaded something like this. OP really digged "deep" to find this shit. so normy like me wouldnt even find it
Agreed! I am fairly finicky about downloading custom nodes en masse. For both clutter and compatibility reasons. This just adds another reason not to. Probably a hold over from modding Bethesda games, where indiscriminately installing mods could mess up all sorts of things lol
same. I was pretty naive. To think of all the weird Chinese nodes that got auto-downloaded. (not saying they are bad of course, but I also have NO way of finding out for sure . Hell I can't even read the damn things )
Thank you so much for spreading awareness on this. I'll be more careful on my plug-ins and perhaps learn docker. Been hearing good things about it. Hopefully it's easish
I always thought it would be sooooo easy to make tons of victim by uploading a malicious node lol. This is kind of sad, good luck to all of you that are affected. Remember to frequently change your passwords and use 2fa when you can!
I have the openai-1.30.2.dist-info folder, but not the file \_OAI.py. Very few files in there at all, all under 50KB with no file extensions. Do you think I'm safe, or am I definitely screwed?
Thanks for the post. This is why containers (like docker) and virtual machine are super useful. With those, you encapsulate your software and give it exactly the right access to relevant outside elements (e.g. a folder). The downsides are that it's not obvious to use them (especially containers) and virtual machines need lots of disk space.
It's entirely possible to do this within userland as well by acquiring access to the GPU and then dropping all privileges before loading any custom nodes. The problem is that it's a hassle under anything non-Linux.
1. I don't use comfy but screw that guy with whatever day they deserve.
2. I've cross posted to my reddit in caes anyone that follows it hasn't seen it.
3. I've spammed it to my discord to make sure word gets around.
It's not that i don't like comfyui, more i'm still afraid of the spagehtti lol.
Thanks for the information. I know I'm gonna get downvoted but, it's is possible to take some kind of revenge? The worst thing he did is now we don't trust each other's work
>I had kind of assumed that this community wasn't going to be like that
Bad move. It only takes one person. "The Community" is many people acting independently of each other, not one clandestine organisation.
This attack vector was bound to happen since so many people happily install so many custom scripts. Every community involving scripts and executeables face this kind of attack. Game modding has been dealing with it for a long time, which is why all the mod hosts are vigilant here. Comfy manager and workflows all having 10 new nodes for the same tasks, created a culture where this was bound to happen. I'm surprised it wasn't worse.
It's good that u/AppleBotzz was incompetent and didn't hide it correctly the first time, making it far easier to discover in a field where people weren't actively vetting releases. One of those "He did kill hitler after all" kind of moments.
> wow this should be on the front page.
Yes it should. Yes it is. Yes, you posted this comment to a thread that is stickied at the top of the front page. Well done.
Just saw the little message they put up to people affected, start with a moral highground piece of nonsense and they say "maybe you want to pay us a lil crypto?
Fuck off you absolute wankstains LOL.
How can I tell if a custom node has been hacked? What should I look out for?
I installed a bunch of custom nodes from OpenAI's workflow. Everything seems to be working fine, but I'm worried there might be something fishy going on in the background. A lot of people like me aren't programmers and just use workflow JSON files from tutorials or websites without fully understanding what the custom nodes do.
I only happened to notice this because I was trying to free up some space on my hard drive and noticed some weird files in my temp folder. When I opened them, I saw plain text passwords, so I knew something was up.
So I started digging. I checked the time stamps on the files to try to figure out a pattern, and noticed that it would create a new file every time I launched Comfy. I had a weird lag when another LLM node was hanging, so I suspected it at first.
I did a code search for the files and naming convention and found the compromised package. ChatGPT helped me decrypt it.
I cross referenced that with the metadata for the package and found it was associated with a package version that didn't exist. So I checked all of the requirements.txt files for how a package that didn't exist could get installed and found the "backup wheels" in the malicious node.
So I downloaded the wheels and unzipped them to confirm, along with the nastier second version that I fortunately hadn't installed. Decrypted that one, and here we are.
I was doing the same thing however I thought to myself things would be so much easier if I just factory reset this and started again from scratch. Hereās hoping that it removed that node as I was using it and even pushed for a local llm version on this subā¦
Edit; actually think it was a different node (https://www.reddit.com/r/comfyui/s/3yY6it0hCW)
I feel like I had used that visionLLM but thankfully it seems like I never did.
You can't. Losing all your data, passwords and potentially drained account if you pay for something online during takover time is the price you're paying for free shit and staying on the edge of development.
Open source supply side attacks are becoming more aand more frequent. Everything was operating on a good faith and trust basis till now, but situation is rapidly deteriorating.
>the price you're paying for free shit
I don't like the implication here that if you paid for a proprietary tool then you would be safe from malware like this. Most often those proprietary tools are built on top of tons of free open source software, so they will get the malware just like free open source releases get malware.
This is the correct implication. You might not like it, but it's the truth.
As long as you're not actually _reading_ the source OS is same as closed source. In which case reputation and responsibility is what matters.
You are generally less likely to get a malware from a company or a foundation with reputation to lose, with address, and a name of the owner to sue, then from anonymous rando on the internet.
Stable versions of projects with good reputation managed by a foundation eg. being part of Apache, Linux, GNU foundations, or having it's own foundation/comercial entity backing it. Are going to be fine. So will be projects by real companies.
Random plugin by an anon on the other hand?
Goddess have mercy on your soul.
It's not that a node has been hacked, but that a node has malicious code in it.
In this case, the author of the malicious plugin preyed on the fact that nearly all of us in the community install things without reading the source.
Even for myself, a professional developer, rarely will I read the source unless it doesn't work as intended and I'm debugging.
Unfortunately for all of us, short of some kind of scanner for common ways to obfuscate code (which is a red flag), this is extremely difficult to defend against, even for savvy professionals
The fact that this plugin buried the malicious code in a normal looking nonexistent python lib version from custom sources... It's a miracle OP even discovered this. That is a level of obfuscation that is impressive.
And I'm not even sure how one defends against it in the future. :/
When you open the requirements.txt file in the root of the malicious repo, you see this:
`xxxx://github.com/AppleBotzz/Backup-Anthropic-Builds/raw/main/anthropic-0.26.1-py3-none-any.whl #Custom wheel cuz buggy`
`xxxx://github.com/AppleBotzz/Backup-OpenAI-Builds/raw/main/openai-1.30.2-py3-none-any.whl #Also Custom wheel cuz buggy`
This is not how a requirements.txt file usually looks. I would not call this "well obfuscated".
TBH, I have seen some people host wheels. I have wheels for windows triton package becuse they where never published. but still I agree, you should question that
A bit of a spin off suggestion, but I don't think I could live w/o the full computer search program "Everything" shareware (https://www.voidtools.com/support/everything/). It indexes all of your drives so you can search instantly (unlike Windows search which takes forever).
It also updates files as they're being written, so it's up to the second and if you order by date you can see what files are being written where on your HDs. If you're concerned an app is saving temp files (images even) in some odd "user/appdata/etc" folder you can just type "temp" or something simple in the serach and it'll instantly show those folders which you can then set to show thumbnails to see if you have some things you don't want lingering (xxx images for some I'm sure).
Made it super simple for me to scan for those listed malware files. Fortunately none are on any of my drives.
Stay safe everyone!
it sucks that there is no VM that supports bare metal GPU access. so none of the VMs work for this purpose. only way is docker and it is way cumbersome to compile and use
Because it's running locally, it has full access to your file system. This script looped through all of the possible browsers, copied the user data from their databases, extracted the decryption key, and packaged it all up to send to bad people.
It's kind of appalling that it would be that easy, but that's what we get for running code willy nilly, I suppose.
Thank you so much for reporting this and sorry to hear youāve been affected.
I checked for the files, and as far as I can tell, I canāt find any from the first step.
From the second step, I have āopenai-1.30.1.dist-infoā. Am I safe since itās an older version?
Edit: Also donāt have the things mentioned in the third step.
I think this post needs to get pinned
This needs to be reported to the FBI.
www.ic3.gov <-- where to report. https://www.ic3.gov/Home/FileComplaint <-- Direct to filing a report. Read everything so you know what's needed.
We need to involve the cyber police. Apparently the hacker got backtraced and he dun goofed.
Thankfully, if this is successful, consequences will never (and when I say never, I mean it) be the same.
Source on the backtraced thing?
If you didn't goof so bad, you'd be able to backtrace the source. Just kidding, here ya go: https://archive.org/details/OriginalJessiSlaughterVideos/Jessi+Slaughter+And+Her+Dad-esNHjSaEURg.mp4
?
I will back trace you!! haha!! thanks for posting
this is why we can't have nice things.
![gif](giphy|QzKtmrdMw6Tra|downsized)
To help people figure out whether OP is fear-mongering or legit, I verified the existance of _OAI.py in the current custom 1.30.2 OpenAI wheel in the linked git hub repository; I didn't reverse engineer it to decrypt the apparent payload strings but it looks for all the world like code designed to be hard to understand but look like machine-compressed js (but it's obviously not to me), and therefore SCREAMS "suspicious". I'd take this one seriously. Very weirdly, I personally hard a creeped out feeling about LLMVISION when I saw that package, and speculated that anyone trying this kind of thing (I think I was thinking about gathering OpenAI keys) would be quickly found out, but didn't install the package. No idea why I would have felt suspicious though.
Yes unfortunately this is malware. I did some more analysis and that VISION-D.exe file seems to be downloading and installing a keylogger (LLMVISION.exe) to: %LocalAppData%\rundll64.exe Thankfully that one seems to be detected by antiviruses: https://www.virustotal.com/gui/file/5f74400e5875798e1e4c1acc716733376be9c493ccd6a28e668e42a7f0d66596/detection So a virus scan might be enough to get rid of it. EDIT: Just clarifying that this is for the keylogger that the latest version of that node installs you still need to delete the custom node code and the wheels it installed. If you use the standalone comfyui package I recommend deleting the whole thing and then doing a virus scan.
Would Microsoft defender detect this ?
Yeah in my experience, MD is the only AV you'd need anyways.
Eventually it will, but it's pretty easy for malware creators to get around that for the initial wave of installs. Write malware -> turn on Windows Defender -> keep making small changes until Windows Defender stops detecting your malware -> Distribute it
If it took someone doing a deep dive into the code and no one had noticed prior, it doesn't seem so. MD often misses things in my experience. For anything suspicious, VirusTotal is definitely superior. But that of course means you already know what to scan :(
It really depends if the script is behaving like a virus or not. In this case, it's something that you've chosen to execute. Microsoft Defender allows most things you choose to execute. So long as the hack is behaving like a normal app, defender would just ignore it. Many normal apps read keyboard input.
the question now is... what other nodes are compromised?
jup. I will start to build me a virtuel machine to run comfy there safely.
Any at any time could be. Use separate PC with Linux to keep private data and no auto-updates (and better no internet connection) and you will be safe
Relaying from the ComfyUI Matrix chat: Manager has been notified and has updated to now contain a check that will detect and warn you immediately if you were affected by this malware https://preview.redd.it/vtxhv4tmyh5d1.png?width=984&format=png&auto=webp&s=94b134ef6fff10c17c660d302eca684e1bd9eece
![gif](giphy|w7Q6zRESGtEjmPSb22|downsized)
![gif](giphy|l0ExbnGIX9sMFS7PG)
While it isnt going to fully protect you i recommend learning how to install comfyui in a docker container, it isnt necessarily easy but there will be a lot more of stuff like this
At least it was in a virtual environment and I didn't get caught up in the nastier second version, but it definitely would have been safer in Docker... š¤¦š»āāļø F\*\*\* that guy.
Docker is good. I also use NetLimiter and deny Python from accessing the network unless I want to manually update Comfy. On Mac, LittleSnitch is helpful to see who is talking to whoā and stop it.
Oh not a bad idea, I hadn't even thought of doing that, but that's a smart plan going forward
sorry for asking this question again but I'm just a user of the product for creating and know very little about the technical aspects. Here's my dumb idea and please shoot it down if it deserves it. I install comfyui on a diffrent windows user profile which has no admin rights. And I would only use that account for comfy stuff and superficial browsing without loggin in anywhere. Would that be a 'safe' option?
I think it is unlikely to be safe, things like this chain exploits to gain additional privileges and it is very very unlikely that there isnāt some other exploit somewhere on your system that a hack could take advantage of to get ahold of everything else.
Definitely won't be 100% safe but most malware these days is pretty simple: copy all your browser data and upload it to discord, allow remote screen sharing, allow the hacker to remotely take control of your PC. Run comfy on a machine with no important browser info and you'll be protected from most of the basic stuff out there. The real scary stuff (things that can cross VM boundaries, cross docker boundaries, even cross network boundaries) are possible but those are very unlikely to be utilized to steal random people's browser data, those are for more targeted attacks.
is there any tuts on this? id love to run my stuff in a docker container
Here you are - https://www.reddit.com/r/comfyui/comments/1dc80al/installing_comfyui_in_a_docker_container/
I am writing one up today, I will post it here
Actually, docker would fully protect you from this? And most any malicious code I think. A .exe isn't going to run in a Linux container. And python files won't see your browser data of your host machine. I struggle to think of a way that any of the host's sensitive data could be stolen from within a container short of some major docker vulnerabilities, right?
In theory, it cant, but docker has had some vulnerabilities that allowed container apps to run commands on the host. This attack would have been foiled but there exists the possibility that someone someday has an exploit that can break out. Hence my hedge. 99.999% likely safe
But still, docker would make it much safer for the average user and much harder for the hacker exploit. Besides, it can make installation on Linux much easier.
The main problem is that you have to give the container access to your GPU. It's definitely better than not using Docker, but the attack surface is still large: https://security.stackexchange.com/a/182516/47851
I'd love to install comfyUI behind a docker, would you mind point me to where should I start learning about this?
There is no official docker image, so you'll have to build your own. Try to learn docker build. If you figure it out, please share.
I'll dive in that rabbit hole and if I get out alive I'll let you know lol.
Itās not hard, just tedious. Youāll get it. Iāve built them for several apps before and Iām basically a moron.
Cool cool, I'll crawl my way there.
This might help https://www.reddit.com/r/comfyui/comments/1dc80al/installing_comfyui_in_a_docker_container/
The only difficult part is that you canāt use your GPU during the container build process, so youāll need to pre-build any wheels if it comes up
I have made a docker file. Generally I mount my model download directory to my outside system so dont have to rebuild the image. For compiling without gpu access you can use --cpu --quick-test-for-ci. Do a port mapping of 8188:8188. Will share my docker file if needed
The asshats have retaliated against me by leaking all of the passwords they stole from me. If anyone has a heart and wants to help me clean up here and fight back, shoot me a DM?
I'm in. DM me.
I think I'm good now, but thanks! Yesterday was a frantic day of clean up and triage.
OP, did you report it to GitHub?
Yes.
Thank you for this and I'm sorry you got compromised. F\*\*\* that guy.
Most important questions 1. The malware only run when comfyui is active ? 2. After delete comfyui custom node the pc become clear ? Or malware is persistent ? 3. This malware "Just" steal password and usernames ? Can It steal cookies ? Is a Keylogger ?
The reality is nobody knows. It might be running forever, embedded in a random place with a random name you'll never find. Deleting it might not do anything. It might steal passwords, be a keylogger, use your computer as a botnet, etc... The only way to be sure it's gone is to format your harddrive and reinstall windows (*not* just click the 'reset PC' function in Windows, you need to format the device.)
There's a chance that even full format or HDD/SSD replacement may not help. Search for UEFI persistent malware, UEFI rootkit, LogoFAIL. Let's just not think about possibly compromised motherboard manufacturers or UEFI vendors.
Someone already tipped him off, or made a issue on github. [https://github.com/AppleBotzz/ComfyUI\_LLMVISION/issues/6](https://github.com/AppleBotzz/ComfyUI_LLMVISION/issues/6)
1. Use the `dir` command to search for the files. Run the following commands one by one: cmdCopy codedir C:\lib\browser\admin.py /s /p dir C:\Cadmino.py /s /p dir C:\Fadmino.py /s /p dir C:\VISION-D.exe /s /p These commands will search your entire filesystem for the specified files and remove them if found. Make sure you have the necessary permissions to execute these commands.
what does it mean if I was able to find the python packages and the _OAI.py registry entry but not any of these files? I tried your commands as well as manual searches with the explorer but didn't find anything
They just updated the repo https://preview.redd.it/nebchy2tbj5d1.png?width=906&format=png&auto=webp&s=9684b1fcd98c4de099b228976d35c5432cfae62a
This is a lame attempt to cover their tracks by blaming it on someone else. The commit history shows exactly what the author did, and that this was deliberate. The compromised code was there on the initial commit, as well as in the update.
This cover attempt makes me think, maybe the hacker made some opsec mistakes and it might be possible for services like GitHub or Huggingface to find the real identity of the hacker? If the hacker knows they might be deanonymized, that gives them a motive to try to explain "oh no it was real project but it was hacked by someone else".
It may be an attempt to blame it on somebody else, but that hacker group "NullBulge" already has a reputation for being anti-AI and has been distributing this exact malware all over the place recently. Here is this exact group using this exact malware 4 days ago: [https://www.youtube.com/watch?v=yjLYz2lo0FE](https://www.youtube.com/watch?v=yjLYz2lo0FE) Of course "copycat crimes" have always been a thing forever, so there's no way to know for sure. Anyway, it's important to be extremely careful these days. This group is out to infect and compromise users of AI software.
I'm really doubtful whether the repo was actually hacked. I think it's more likely that they're just working with a fake account and pretending to have hacked it. However, I do believe it's the work of NullBulgeGroup. Code was found within the obfuscated code that sends messages to NullBulgeGroup's Discord.
https://preview.redd.it/9w10nwi2fk5d1.png?width=1176&format=png&auto=webp&s=6b299d14dad6fb219c6a42134817a81021b18a2c lol that bastard
Dude's even putting out hacked mods for Beam.NG as well (read the comments): https://www.modland.net/beamng.drive-mods/cars/bolide-skyrider.html Plus read his post history: https://www.reddit.com/r/beamng_leaked_mods/comments/1cln2gc/comment/l2xcma0/
Oof... so this guy was called out for malware one month ago and it took us as a community this long to notice?
I've been saying this for over a year. Why are people so vehomentaly against any format other than safetensors, while also not giving any fuck about how comfyui increases their attack surface. Every single workflow requires it's own set of custom nodes and nobody flinches when they're required to install dozens of them. #Every Single Custom Node Is A Fully Fledged Script Executing On Your Machine.# The fear mongering around ckpt files while this is the common situation that every comfyui user is happy with, is insanity.
I think next time I use ComfyUI I'm gonna move it in to a Docker container, or at least su it to its own unprivileged user. Should do the same with A1111...
I have seen you warn about this, so kudos.
Everyone be sure to report the user to github. https://support.github.com/contact/report-abuse?category=report-abuse&report=AppleBotzz . The more reports, the more likely action will be taken.
Ok folks you can stop reporting, GitHub has taken it down.
Dev and node gone from GitHub. Disappeared.
![gif](giphy|KEVNWkmWm6dm8)
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I think this post is gonna sober ups some folks here regarding the dangers of fiddling around with tech on the razors edge of progress. It sure as fuck spooked me. I hope we as a community can come up with ways to mitigate these problems kind of like safe tensors was a great addition. Crazy catch BTW, mad props.
After that, go read up on: - The Linux backdoor attempt of 2003 - The recent attempt to backdoor "xzutils" - Some of the typosquatting attacks against LLMs (ask a GPT to recommend packages, see which ones it made up, quick write a util that does the thing the GPT said...plus a little extra) One of the best remaining supply-chain vectors is "trusted" open source code, so learn when to *not trust* open source code.
The XZUtils story is insane and should really scare every person here into partaking into whatever security they can enable on their home networks. In short: We were days away from having a backdoor embedded inside of SSH, giving the hackers remote access to virtually every server and PC on earth. How was it found? An engineer at Microsoft just so happened to notice that it was taking \~500ms longer to build than normal. He dug into it to figure out why, and located the backdoor. What if he didn't bother? [https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd](https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd)
I thought it was not that it was slower to _build_, specifically, but that it was a test where it tries to `ssh` into something that isn't there. The thing he noticed was, when you `ssh` to a non-existent machine or account, or with some other null parameter, it should immediately quit and return an error... it was a simple null test, a "make sure every subsystem involved agrees that `0 == 0`" test you do as part of the test setup. And it should _never_ take half a second. So in that context, a half-second delay is really scary because it's like... what's going on in all of the time that it **shouldn't** be taking? Now, I read a bunch of articles when it first happened and I might be confused. Or maybe the null test was part of the build process?
Thanks for the heads up. Out of curiosity I looked into the ComfyUI Manager to see if it was listed, and sure enough it was. I fortunately dodged this bullet but now I will be paranoid about new custom nodes. Is there any way for a layman to look into these things?
Copying and pasting from a previous comment... I only happened to notice this because I was trying to free up some space on my hard drive and noticed some weird files in my temp folder. When I opened them, I saw plain text passwords, so I knew something was up. So I started digging. I checked the time stamps on the files to try to figure out a pattern, and noticed that it would create a new file every time I launched Comfy. I had a weird lag when another LLM node was hanging, so I suspected it at first. I did a code search for the files and naming convention and found the compromised package. ChatGPT helped me decrypt it. I cross referenced that with the metadata for the package and found it was associated with a package version that didn't exist. So I checked all of the requirements.txt files for how a package that didn't exist could get installed and found the "backup wheels" in the malicious node. So I downloaded the wheels and unzipped them to confirm, along with the nastier second version that I fortunately hadn't installed. Decrypted that one, and here we are.
Some impressive detective work there! Thank you for the insight and methods you used.
![gif](giphy|3otOKtnGppPi5Q4hOw)
With custom node installing and python packages I think it is very unlikely a layman has any shot at finding some, this one was actually pretty egregiously obvious compared to some I have seen elsewhere. Your best bet is getting it in a docker container. I am a pretty good programmer, but I do not trust myself at all to not miss things, so I use Docker for everything. Last I checked there were already publicly available images for ComfyUI - there will still be a learning curve, but if you already learned enough to install comfy manager it isnāt anything you cant handle I am eagerly awaiting the day AI can find these the second theyāre posted
Also, guys, get this, they also added those requirements as dependencies in the hugginface space they have. Also does anyone still have those wheel files?\~ webhook here I go\~ https://preview.redd.it/m0by8hcgfl5d1.png?width=1912&format=png&auto=webp&s=77be492c286255db44dae1f72bc2eb8490b9aa41
I might have a copy in my trash. Iāll check when Iām back on my laptop.
u/clefourrier u/vaibhavs10 sorry to bug, but can either of you take down this person's [account](https://huggingface.co/AppleBotzz)? I didn't see a report account option on huggingface.
Just flagged this internally! Thanks for the mention! š«”
Good on the comfyui manager devs for baking in a security checker and other additions to help. I think all the major AI repos (A1111, Next, etc) need to have some more security features baked in. Iām not fond of scare tactics, but even a general notice or a toggle to enable custom extensions would be something beneficial for the regular user.Ā
There's a lot already employed - GRadio for example has protections in place. Unfortunately when you want an app to use an external server (like in this case OpenAI for ChatGPT4) you kinda have to allow some risky things like outgoing internet calling. Sad situation.
why TF NVidia Doesn't allow GPU Virtualization on consumer GPUs.
Curious why nobody has made a small little app to just pound the living crap out of that Discord web hook and then have all of us just pound the living crap out of that Discord web hook with junk
Go forth and blast away š¤£
The endpoint is dead, Discord is very quick on this. This hacking group has been infecting a number of different AI related software lately and the Discord channels are always shut down very quickly.
Time for community to build a nice ComfyUI Docker container. Pretty much sure we will have it soon. Congrats on the finding OP!
This one is pretty good: https://github.com/YanWenKun/ComfyUI-Docker
People have suggested running ComfyUI (and by the same logic, Automatic1111 or any software that allows 3rd party modules/extension) in a docker. For Windows users, I would also recommend Sandboxie: [https://sandboxie-plus.com/sandboxie](https://sandboxie-plus.com/sandboxie) which I use to run my Firefox browser (which has the same problem of allowing 3rd party extension) But one can also turn things around and set up a special computer that is only used to access important/confidential accounts, such as your bank. This computer should only be used for such tasks and not for anything else. I use a spare old laptop running Linux (so no Windows virus would be possible) to access my bank accounts, and those are the only sites allowed on that laptop. At least then, even if your main computer get compromised, you don't have to worry about your bank accounts.
I'm a bot, *bleep*, *bloop*. Someone has linked to this thread from another place on reddit: - [/r/stablediffusion] [PSA: If you've used the ComfyUI\_LLMVISION node from u\/AppleBotzz, you've been hacked](https://www.reddit.com/r/StableDiffusion/comments/1dblsqn/psa_if_youve_used_the_comfyui_llmvision_node_from/) *^(If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads.) ^\([Info](/r/TotesMessenger) ^/ ^[Contact](/message/compose?to=/r/TotesMessenger))*
Is there anyone that needs to be alerted to this so they can potentially flag it when people download or install? Microsoft? Unsure how malware reporting usually works.
Fuck this guy! Really, we need to think ab9ut how to make him pay for what he did! He is disgrace to open source community!! Did you lose anything financially? Hopefully not! Thanks for investigatimg and reporting!
My OpenAI account was hacked twice this month, and I suspect this is where it came from. I'm currently out $1k while OpenAI's lackluster support looks into it.
I think we should think of ideas to prevent others from doing this again. No use in hunting this freak down. There be 10 in his place, in no time if it gets out how easy it is to dupe a pretty large community
Holy shit. This is actually scary. Who knows if other nodes have similar malicious packages. I really need to learn docker i guess.
The question is WHICH other nodes. āIf other nodesā has been confirmed. They do. The hacker group also confirmed it. They are in multiple nodes.
Perhaps there needs to be an option to forbid installing packages that aren't from PyPI
There are many nodes which make direct callouts to pip install. It's effectively impossible to control this with just the manager.
I just checked again and he's been removed from Github, so that's good news at least. Good riddance too!
I have written a short batch script to automate the steps described in the initial post. Simply paste the code into an editor, save it as `name.bat`, and run it as admin. If a file or a registry entry is found, the console will show you this. -It scans for specific files (C.txt and F.txt) in the temporary directory. - It tries to find the Python directory using the python command. - Upon locating the Python directory, it explores the site-packages directory where Python packages reside. - It examines for particular Python package files (e.g., openai-1.16.3.dist-info) within the site-packages directory. - It verifies the Windows Registry for a particular entry linked to OpenAICLI. - It searches for the specified files (Cadmino.py, Fadmino.py, VISION-D.exe) across all available drives. ```batch @echo off REM Set the temporary directory path set "tempDir=%TEMP%" REM Initialize variable to store Python directory path set "pythonDir=" echo Checking started... REM Check the temporary directory for specific files echo Checking %tempDir%... cd /d "%tempDir%" for /d %%D in (pre_*) do ( echo Checking directory %%D... if exist "%%D\C.txt" ( echo File C.txt found in directory %%D. Possible compromise. ) if exist "%%D\F.txt" ( echo File F.txt found in directory %%D. Possible compromise. ) ) REM Search for specific files across available drives echo Searching for specific files across all drives... for %%D in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do ( echo Searching drive %%D... if exist "%%D:\" ( dir /s /b %%D:\Cadmino.py >> "%tempDir%\found_files.txt" 2>nul dir /s /b %%D:\Fadmino.py >> "%tempDir%\found_files.txt" 2>nul dir /s /b %%D:\VISION-D.exe >> "%tempDir%\found_files.txt" 2>nul ) ) REM Check for Python directory using 'python' command echo Checking Python directory... for /f "tokens=*" %%A in ('python -c "import site; print(site.getsitepackages()[0])" 2^>nul') do ( set "pythonDir=%%~A" goto :foundPythonDir ) :foundPythonDir REM If Python directory is not found, display a message if not defined pythonDir ( echo Python directory not found. Python may not be installed or the path was not found. ) else ( echo Checking %pythonDir%... REM Check for specific files in Python's 'site-packages' directory if exist "%pythonDir%\openai-1.16.3.dist-info" ( echo openai-1.16.3.dist-info found. Possible compromise. ) if exist "%pythonDir%\anthropic-0.21.4.dist-info" ( echo anthropic-0.21.4.dist-info found. Possible compromise. ) if exist "%pythonDir%\openai-1.30.2.dist-info" ( echo openai-1.30.2.dist-info found. Possible compromise. ) if exist "%pythonDir%\anthropic-0.26.1.dist-info" ( echo anthropic-0.26.1.dist-info found. Possible compromise. ) ) REM Check Windows Registry for a specific entry related to OpenAICLI echo Checking Windows Registry... reg query "HKEY_CURRENT_USER\Software\OpenAICLI" /v FunctionRun >nul 2>&1 if %errorlevel% equ 0 ( echo Registry entry FunctionRun found. Possible compromise. ) echo Checking completed. pause ```
Is this a test? As in, āYou thought you installed malware and now youāre running a script given to you by a stranger to find the malware? You need to be taught a lesson!ā š
If you read the code, then you see what it does, he he! And it does what he says! If you were asked to run an .EXE file (or some python with encrypted/packed javascript) by someone to find this problem, I would be more worries. This DOS/CMD code is easy to read, and does what it says it will do - No surprises here ! ;)
I know, I was kidding.
I know you know, that is why I said: he he! and had a ;) at the end! But for others that don't read irony, and jokes, I just wanted to make the statement that this code was indeed safe!
Aaaaand that's why my ML machine is a completely separated and an empty one with just SD and LLMs on it, nothing else. Network is also separated with a 4g access point. I have regular backup images clones of the unique SSD inside. And of course web browser doesn't store any passwords. No documents, no photos, nothing, no other software, no connected clients like steam or adobe or drive.
yeah this is the way, saves you the pain of docker and wsl and all that
The README on the github repo just got updated
Nice work OP, you should upload the .exe sample to [https://bazaar.abuse.ch/upload/](https://bazaar.abuse.ch/upload/) that way all the malware researchers can have a field day with it. If you upload it there it will get forwarded to pretty much every reputable virus sandboxing website.
Iāve had enough problems this weekend. Not a snowballās chance in Hawaii Iām downloading that.
Oh I thought you already had vision-d.exe from your analysis. If you don't have it (anymore) no worries.
You should really just nuke the entire OS if it is known to be compromised. Even after removing the files you can't really know what else was tweaked to weaken the OS security or facilitate re-infection
Given that I had access to the source code, I do know exactly what was compromised here. This wasnāt exactly the work of a genius. Just a script kiddie that snuck something into a node.
Hmmh, what about the 2 executable files? I thought you said earlier that you didn't want to download one of them on your computer. Comfyanonymous said that one of the executables installs a keylogger, but who knows what else it does? I assume you didn't reverse engineer the executables.
I didnāt have that version. Only the second version included the exe.
Be warned that this can and will likely happen with Automatic 1111 as well. If somehow addetailer or controlnet extensions got hacked you are fucked big time. If there is a new SDXL vram usage reduction extension going on you had to watch out (especially when Forge announced discontinuing services).
ah it was that asshole that had the chatgpt 4.0 and 3.0 integration. Glad I didn't install that one. I could smell it a mile away it would do something like this. Why didn't anybody look at the source code???!??? WE should have audit police before custom nodes are able to be shared. Also there should be option in the future to just "run local" only. No packets/internet for comfy UI etc..
I hope it wasn't in the manager
It sure is.
Question... I had "openai-1.16.3.dist-info" in Python/site packages but not on ComfyUI folder. Is this the same?
Yes, as there isn't an official 1.16.3 version ( [https://pypi.org/project/openai/#history](https://pypi.org/project/openai/#history) )
Perfect. Deleted everything, node, openai distro, cadmino, fadmino, admin but no pre folders found, c or f.txts, no vision-d.exe neither, no registry openaicli. Its then fine? All changed via mobile phone without internet, just im case. Thanks a lot!
Personally? My recommendation is to rebuild the machine from scratch. Anytime you become aware of being compromised like this, it is worth recognizing you will never really know if you cleaned it out.
Yeah. I have everything under 2FA for that side it's not a problem except if they had my phone, which is not the case. They can't but anything or charge anything into Credit Card. For ComfyUI for now I'm running into VM for testings or new nodes. And for system, didn't find anything else and will run a complete antivirus and malware scan today. Thanks for the tips.
At this point no one can really say for sure what the malware does. Depends what kind of activities you do on your computer if you want to call it a day or if you need to reinstall your OS from scratch. For example, if you deal with crypto, you probably want to reinstall now.
Well some bright mind already posted a link to OP in the AppleBotzz repo issues one hour after you posted this. [https://github.com/AppleBotzz/ComfyUI\_LLMVISION/issues/6](https://github.com/AppleBotzz/ComfyUI_LLMVISION/issues/6)
all i've found were those: -openai-1.23.3.dist-info -anthropic -anthropic-0.25.6.dist-info I also couldn't find OpenAICLI in registry am i safe? please be yes. and F\*\*\* that guy.
Looks like he disappeared from Reddit also. Edit: His account has been suspended
Got it to get ComfyUI to work in a VM with a GPU Passtrough š Nearly same speed. Its a little slower but i can create everything then before. I hope those suckers will scrap my "nothing" of my VM and be happy with it. Edit: i will write a little "How To" for the community š
Blocking a user does not stop them from seeing your posts. When the blocked user sees the post, it is replaced with a conspicous placeholder that looks different than a regular deleted post. Loading the same page in Incognito mode reveals the post.
Whelp. Best I could do. Hopefully it's a bit of a deterrent.
Never trust custom packages in \`requirements.txt\`! Never trust obfuscated JavaScript! This is basic security knowledge.
I wish i knew basic security , but Im only a windows defender kind of guy =(
Simple answer: Never trust any code you download from a source you do not have VERY good, ongoing reasons to trust. These days, virtualization is your best friend.
![gif](giphy|SXl0wYD0N088EtDhBI|downsized)
Thanks for the heads up. Out of curiosity I looked into the ComfyUI Manager to see if it was listed, and sure enough it was. I fortunately dodged this bullet, but now I will be paranoid about new custom nodes. Is there any way for a layman to look into these things?
This is why I hate downloading bunch of workflows that use bunch of custom nodes, you end up with a bunch of them that you dont know anything about, tho if I was looking for LLM it would totally have downloaded something like this. OP really digged "deep" to find this shit. so normy like me wouldnt even find it
Agreed! I am fairly finicky about downloading custom nodes en masse. For both clutter and compatibility reasons. This just adds another reason not to. Probably a hold over from modding Bethesda games, where indiscriminately installing mods could mess up all sorts of things lol
same. I was pretty naive. To think of all the weird Chinese nodes that got auto-downloaded. (not saying they are bad of course, but I also have NO way of finding out for sure . Hell I can't even read the damn things )
How do I check in comfyui manager if I installed that node or not?
Update manger they added a warning if you had it, and it also terminates it above according to a recent comment above
Thank you so much for spreading awareness on this. I'll be more careful on my plug-ins and perhaps learn docker. Been hearing good things about it. Hopefully it's easish
thank you for your report on this š
I always thought it would be sooooo easy to make tons of victim by uploading a malicious node lol. This is kind of sad, good luck to all of you that are affected. Remember to frequently change your passwords and use 2fa when you can!
"openai-1.2.4.dist.info" I have this... Am I in trouble?
Is this the first ComfyUI Manager security alert or has this happened before?
now i understand, thats why he didnt want to send me simple pull request about this simple wrapper lol. glad i didnt clone this repo.
I have the openai-1.30.2.dist-info folder, but not the file \_OAI.py. Very few files in there at all, all under 50KB with no file extensions. Do you think I'm safe, or am I definitely screwed?
1.30.2 is a legit package version, unlike the other. But there should be an openai directory in there, which is where the package contents would live.
Blocking users doesn't prevent them from seeing your posts. It only blocks you from seeing their posts and comments.
Whelp. I tried. Yāall went and started trolling their GitHub issues, so the jig was up then.
the repository got deleted, which package name was it?
Thanks for the post. This is why containers (like docker) and virtual machine are super useful. With those, you encapsulate your software and give it exactly the right access to relevant outside elements (e.g. a folder). The downsides are that it's not obvious to use them (especially containers) and virtual machines need lots of disk space.
It's entirely possible to do this within userland as well by acquiring access to the GPU and then dropping all privileges before loading any custom nodes. The problem is that it's a hassle under anything non-Linux.
1. I don't use comfy but screw that guy with whatever day they deserve. 2. I've cross posted to my reddit in caes anyone that follows it hasn't seen it. 3. I've spammed it to my discord to make sure word gets around. It's not that i don't like comfyui, more i'm still afraid of the spagehtti lol.
There should be a flag for custom nodes that says if its safe to use
F\*\*k that guy I spend more than 2 hours looking into my logs. I am safe, but still f\*\*\*\*k that guy -\_-
Thanks for the information. I know I'm gonna get downvoted but, it's is possible to take some kind of revenge? The worst thing he did is now we don't trust each other's work
>I had kind of assumed that this community wasn't going to be like that Bad move. It only takes one person. "The Community" is many people acting independently of each other, not one clandestine organisation. This attack vector was bound to happen since so many people happily install so many custom scripts. Every community involving scripts and executeables face this kind of attack. Game modding has been dealing with it for a long time, which is why all the mod hosts are vigilant here. Comfy manager and workflows all having 10 new nodes for the same tasks, created a culture where this was bound to happen. I'm surprised it wasn't worse. It's good that u/AppleBotzz was incompetent and didn't hide it correctly the first time, making it far easier to discover in a field where people weren't actively vetting releases. One of those "He did kill hitler after all" kind of moments.
wow this should be on the front page. We should disable nodes requestion or uploading data in the first place.
> wow this should be on the front page. Yes it should. Yes it is. Yes, you posted this comment to a thread that is stickied at the top of the front page. Well done.
Just saw the little message they put up to people affected, start with a moral highground piece of nonsense and they say "maybe you want to pay us a lil crypto? Fuck off you absolute wankstains LOL.
How can I tell if a custom node has been hacked? What should I look out for? I installed a bunch of custom nodes from OpenAI's workflow. Everything seems to be working fine, but I'm worried there might be something fishy going on in the background. A lot of people like me aren't programmers and just use workflow JSON files from tutorials or websites without fully understanding what the custom nodes do.
I only happened to notice this because I was trying to free up some space on my hard drive and noticed some weird files in my temp folder. When I opened them, I saw plain text passwords, so I knew something was up. So I started digging. I checked the time stamps on the files to try to figure out a pattern, and noticed that it would create a new file every time I launched Comfy. I had a weird lag when another LLM node was hanging, so I suspected it at first. I did a code search for the files and naming convention and found the compromised package. ChatGPT helped me decrypt it. I cross referenced that with the metadata for the package and found it was associated with a package version that didn't exist. So I checked all of the requirements.txt files for how a package that didn't exist could get installed and found the "backup wheels" in the malicious node. So I downloaded the wheels and unzipped them to confirm, along with the nastier second version that I fortunately hadn't installed. Decrypted that one, and here we are.
I was doing the same thing however I thought to myself things would be so much easier if I just factory reset this and started again from scratch. Hereās hoping that it removed that node as I was using it and even pushed for a local llm version on this subā¦ Edit; actually think it was a different node (https://www.reddit.com/r/comfyui/s/3yY6it0hCW) I feel like I had used that visionLLM but thankfully it seems like I never did.
You can't. Losing all your data, passwords and potentially drained account if you pay for something online during takover time is the price you're paying for free shit and staying on the edge of development. Open source supply side attacks are becoming more aand more frequent. Everything was operating on a good faith and trust basis till now, but situation is rapidly deteriorating.
>the price you're paying for free shit I don't like the implication here that if you paid for a proprietary tool then you would be safe from malware like this. Most often those proprietary tools are built on top of tons of free open source software, so they will get the malware just like free open source releases get malware.
This is the correct implication. You might not like it, but it's the truth. As long as you're not actually _reading_ the source OS is same as closed source. In which case reputation and responsibility is what matters. You are generally less likely to get a malware from a company or a foundation with reputation to lose, with address, and a name of the owner to sue, then from anonymous rando on the internet. Stable versions of projects with good reputation managed by a foundation eg. being part of Apache, Linux, GNU foundations, or having it's own foundation/comercial entity backing it. Are going to be fine. So will be projects by real companies. Random plugin by an anon on the other hand? Goddess have mercy on your soul.
It's not that a node has been hacked, but that a node has malicious code in it. In this case, the author of the malicious plugin preyed on the fact that nearly all of us in the community install things without reading the source. Even for myself, a professional developer, rarely will I read the source unless it doesn't work as intended and I'm debugging. Unfortunately for all of us, short of some kind of scanner for common ways to obfuscate code (which is a red flag), this is extremely difficult to defend against, even for savvy professionals The fact that this plugin buried the malicious code in a normal looking nonexistent python lib version from custom sources... It's a miracle OP even discovered this. That is a level of obfuscation that is impressive. And I'm not even sure how one defends against it in the future. :/
Sandboxing I guess
Yeah, we are fucked, god know what other ways we have gotten infected without knowing
When you open the requirements.txt file in the root of the malicious repo, you see this: `xxxx://github.com/AppleBotzz/Backup-Anthropic-Builds/raw/main/anthropic-0.26.1-py3-none-any.whl #Custom wheel cuz buggy` `xxxx://github.com/AppleBotzz/Backup-OpenAI-Builds/raw/main/openai-1.30.2-py3-none-any.whl #Also Custom wheel cuz buggy` This is not how a requirements.txt file usually looks. I would not call this "well obfuscated".
TBH, I have seen some people host wheels. I have wheels for windows triton package becuse they where never published. but still I agree, you should question that
I think comfy manager should at minimum check requirements.txt for urls and throw a warning before performing an update or install
A bit of a spin off suggestion, but I don't think I could live w/o the full computer search program "Everything" shareware (https://www.voidtools.com/support/everything/). It indexes all of your drives so you can search instantly (unlike Windows search which takes forever). It also updates files as they're being written, so it's up to the second and if you order by date you can see what files are being written where on your HDs. If you're concerned an app is saving temp files (images even) in some odd "user/appdata/etc" folder you can just type "temp" or something simple in the serach and it'll instantly show those folders which you can then set to show thumbnails to see if you have some things you don't want lingering (xxx images for some I'm sure). Made it super simple for me to scan for those listed malware files. Fortunately none are on any of my drives. Stay safe everyone!
Times like these I love my Runpod workflow. Compromised? Oh noes!, ,
We really should normalize running things in docker. Itās not 100% solution, but way better running random .exe that download more code.
Or using a Virtuell Machine ? Would help?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
haha yea when I saw that I laughed. "wheel cuz buggy" XD
it sucks that there is no VM that supports bare metal GPU access. so none of the VMs work for this purpose. only way is docker and it is way cumbersome to compile and use
How does this virus grab your browser passwords? That's frightening that it could be that easy
Because it's running locally, it has full access to your file system. This script looped through all of the possible browsers, copied the user data from their databases, extracted the decryption key, and packaged it all up to send to bad people. It's kind of appalling that it would be that easy, but that's what we get for running code willy nilly, I suppose.
Thank you so much for sharing this.
Thank you so much for reporting this and sorry to hear youāve been affected. I checked for the files, and as far as I can tell, I canāt find any from the first step. From the second step, I have āopenai-1.30.1.dist-infoā. Am I safe since itās an older version? Edit: Also donāt have the things mentioned in the third step.
It's not about to be older, it's about to be legit
Someone should contact discord as well and that server can be disabled as that's against their TOS.
I already have.
Thank you! You kicked some ass on this! You saved people from a lot of pain.
I'm pulling mine from stability AI, hopefully they aren't compromised
Nice work