Addressing the Keylogger Hacking Attack in ComfyUI

CGI image of a character looking a holographic screen in a western comic art style by venezArt©08.24

Securing Your AI Workspace: Addressing the Keylogger Hacking Attack in ComfyUI_LLMVISION node from u/AppleBotzz.

In the rapidly evolving world of artificial intelligence and machine learning, security is a critical concern. Especially when a lot of these applications and add-ons are part of a GitHub repository or Hugging Face open-source implementations of AI models. Just a quick reminder – as AI technology continues to advance, it’s important to be aware of potential vulnerabilities that could be exploited by malicious actors. While open-source AI tools are fantastic for fostering innovation and collaboration, they do come with their own security concerns. Let’s all stay proactive and mindful about staying secure!. Recently, a significant vulnerability has been discovered in the popular Stable Diffusion user interface, ComfyUI, which has exposed users to keylogger hacking attacks. This article for venezArt Magazine delves into the nature of this security threat, and its potential impact, and provides comprehensive steps to mitigate and fix the vulnerability.

Understanding the Keylogger Hacking Attack

A keylogger is a type of malicious software designed to record keystrokes made by a user, capturing sensitive information such as passwords, personal data, and confidential communication. In the context of ComfyUI_LLMVISION, a keylogger attack can compromise not only individual privacy but also the integrity of AI projects and datasets, potentially leading to severe consequences for businesses and researchers.

How the Keylogger Exploit Works

The keylogger exploit in ComfyUI_LLMVISION node, which appeared as a helpful extension, actually contained code meant to steal sensitive user information such as browser passwords, credit card details, and browsing history. This stolen data was then sent to a Discord server controlled by the attacker. What makes this even more concerning is that the malicious code was hidden within custom install files for OpenAI and Anthropic libraries, pretending to be legitimate updates, making it hard to detect even for experienced users.
To make matters worse, the Reddit user who uncovered the malicious activity, u/roblaughter, admitted that he was also affected by the attack.

  1. Initial Infiltration:
  • The attacker gains access to the system through a custom node which has custom wheels for the OpenAI and Anthropic libraries in requirements.txt. Inside those wheels are malicious code.
  1. Installation of Keylogger:
  • The file is installing a wheel labeled 1.16.2, in reality it is installing a wheel labeled  1.16.3, which doesn’t exist. There is no 1.16.3 — the release history goes from 1.16.2 to 1.17. https://pypi.org/project/openai/#history
  • Inside that package, you’ll find /lib/browser/admin.py. This file reads your browser data and stores it in your temp directory in a subdirectory with the format pre_XXXXX_suf. Inside, you’ll find C.txt and F.txt, corresponding to Chrome or Firefox data.
  1. Data Transmission:
  • The keylogger captures and transmits the recorded keystrokes to the attacker, enabling them to collect sensitive information over time.
  • The file contains an encrypted string. When you decrypt, it points to a Discord webhook: https://discord.com/api/webhooks/1226397926067273850/8DRvc59pUs0E0SuVGJXJUJSwD_iEjQUhq-G1iFoe6DjDv6Y3WiQJMQONetAokJD2nwym
  • This file is sending your data to that webhook.
  1. Exploitation:
  • The attacker uses the stolen data to access secure systems, steal intellectual property, or conduct further attacks.

Impact on ComfyUI Users

The keylogger attack can have far-reaching implications for users of ComfyUI:

  • Data Breaches: Sensitive datasets and proprietary information can be compromised.
  • Financial Losses: Unauthorized access to financial information can lead to significant monetary losses.
  • Reputation Damage: Companies and individuals may suffer reputational harm if confidential data is leaked.
  • Operational Disruption: Projects may be delayed or derailed due to security breaches.

Here’s how to tell if you’ve been affected:

Check C:\Users\YourUser\AppData\Local\Temp. Look for directories with the format pre_XXXX_suf. Inside, check for a C.txt and F.txt. If so, your data has been compromised.

Check python_embedded\site-packages for the following packages. If you have any installed, your data has been compromised. Note that the latter two look like legitimate distributions. Check for the files I referenced above.

openai-1.16.3.dist-info

anthropic-0.21.4.dist-info

openai-1.30.2.dist-info

anthropic-0.26.1.dist-info

Check your Windows registry under HKEY_CURRENT_USER\Software\OpenAICLI. You’re looking for FunctionRun with a value of 1. If it’s set, you’ve been compromised.

Fixing the Vulnerability: Comprehensive Steps

Addressing and mitigating the keylogger threat involves a combination of immediate actions and long-term security practices. Here’s a detailed guide on how to secure your ComfyUI environment:

1. Immediate Response:

a. Identify and Isolate:

  • Conduct a thorough security audit to identify the presence of the keylogger (follow steps above).
  • Isolate affected systems to prevent further data transmission.
  • Remove the packages listed above.
  • Search your filesystem for any references to the following files and remove them: lib/browser/admin.py, Cadmino. py, Fadmino. py, VISION-D.exe
  • Check your Windows registry for the key listed above and remove it.
  • Run a malware scanner. Make sure your Windows Defender (or preferred Antivirus software) is up to date and run a Full Scan. According to Microsoft, Windows Defender will protect your computer from keyloggers in real time. For apple users, MacOS just like windows has already Malware and Keylogger protection, read more here.
  • Change all of your passwords, everywhere.

2. Strengthen System Security:

a. Update Software:

  • Ensure that reliable antivirus and anti-malware tools like Windows Defender and all related software are updated to the latest versions. Developers often release patches and updates that fix known vulnerabilities.
  • Regularly apply security patches to all software and operating systems to close any potential security gaps.
  • Make sure your antivirus and anti-malware tools like Windows Defender are running regular scheduled scans.
  • Maintain a constant habit to check your antivirus and anti-malware tools like Windows Defender for alerts or issues notifications

b. Use Strong Authentication:

  • Implement strong, multi-factor authentication for accessing online accounts and related systems. This reduces the risk of unauthorized access even if keystrokes are captured.

3. Enhance Network Security:

a. Firewall Protection:

  • Deploy robust firewall systems to monitor and control incoming and outgoing network traffic based on predetermined security rules.

b. Intrusion Detection Systems (IDS):

  • Utilize IDS to detect and respond to suspicious activities in real-time.

4. Educate and Research:

a. Secure Downloads and Reliable Sources:

  • Conduct regular research and review sources from where to download ComfyUI add-ons and nodes. Make sure they are reputable and not suspicious providers.

5. Implement Advanced Security Measures:

a. Encryption:

  • Encrypt sensitive data to ensure that even if it is intercepted, it cannot be easily accessed by attackers.

b. Secure Coding Practices:

  • Encourage developers to follow secure coding practices when developing and updating ComfyUI to prevent introducing new vulnerabilities.

Conclusion

The discovery of a keylogger vulnerability in ComfyUI serves as a stark reminder of the importance of robust cybersecurity measures in AI and machine learning environments. By understanding the nature of the threat and implementing comprehensive security strategies, users can protect their data, maintain the integrity of their projects, and safeguard their digital workspace.

At venezArt Magazine, we emphasize the critical role of security in the technological landscape. As AI continues to shape the future, staying vigilant and proactive in addressing security threats is essential for sustaining innovation and trust in digital systems.


We'd love to hear your thoughts! Drop a comment below and join the conversation!