u/AppleBotzz (Infostealer) – Malware

Overview

In the ever-evolving landscape of online communities and open-source projects, contributors often come and go, leaving behind a mix of innovations and potential risks. One such contributor, u/AppleBotzz, initially gained recognition within the ComfyUI project—a popular platform designed for AI-driven image generation workflows. Known for their contributions to enhancing the ComfyUI ecosystem, u/AppleBotzz was regarded as a valuable asset by many within the community. However, recent developments have cast a shadow over their reputation, transforming them from a respected contributor into a figure associated with malicious activity.

u/AppleBotzz’s reputation was built on their development of the ComfyUI_LLMVISION node, a custom addition to the ComfyUI project. This node was intended to facilitate advanced image generation tasks, showcasing the user’s skill and commitment to improving the platform. Unfortunately, the seemingly innocuous code provided by u/AppleBotzz harbored hidden dangers. The node contained a malicious Python package designed to exfiltrate sensitive browser data and send it to external platforms like Discord or Pastebin. This revelation has alarmed the ComfyUI community and highlighted the risks associated with integrating code from unknown sources.

The transition of u/AppleBotzz from a contributor to a malicious actor serves as a stark reminder of the potential vulnerabilities within open-source ecosystems. While the intention behind contributions may initially appear genuine, the presence of malicious code can compromise the integrity and security of the entire platform. This incident underscores the importance of scrutinizing contributions and verifying the source of code before integrating it into critical systems. As the ComfyUI community grapples with the fallout, the case of u/AppleBotzz exemplifies the ongoing challenges in maintaining trust and security within collaborative online environments.

Targets

Individuals

How they operate

The ComfyUI_LLMVISION node, developed by u/AppleBotzz, was designed to add new features to the ComfyUI platform, a tool used for AI image generation workflows. While the node appeared legitimate on the surface, it concealed a malicious Python package that executed a sophisticated attack. Upon installation, the node initiated a series of operations aimed at compromising user privacy and system security.

The primary function of the malicious Python package was to harvest sensitive information from the user’s browser. It achieved this by leveraging well-known techniques for data exfiltration. The package utilized methods to access browser data, including cookies and stored passwords, which were then sent to remote locations such as Discord channels or Pastebin, known for hosting illicit data. This exfiltration was done stealthily, often avoiding detection by traditional security measures.

In addition to data harvesting, the malicious code installed additional malware on the infected system. This secondary malware ensured continued access to the compromised systems, allowing the attackers to maintain control and potentially deploy further exploits. The installation of this additional malware was typically done through obfuscated code and stealthy persistence mechanisms, making it challenging for users to detect and remove the threat.

The attacker’s approach highlights several critical vulnerabilities in the software development lifecycle, particularly in open-source environments. The incident underscores the necessity for rigorous code reviews and security audits, especially when integrating third-party contributions. Developers and users alike must exercise caution and verify the legitimacy of code before deployment, as the repercussions of a successful attack can be extensive and damaging.

References

• Unicode Strikes Again, Trust No One (Redditor), And More