A supply chain attack was identified where the Ultralytics YOLO AI library versions 8.3.41, 8.3.42, 8.3.45, 8.3.46 were compromised via a script injection vulnerability in GitHub Actions. The vulnerability allowed attackers to introduce malicious code during the automated build process, leading to the distribution of trojanized versions of the library through PyPI. Specifically, the affected versions included unauthorized code modifications that deployed a cryptocurrency miner (XMRig) on systems where these versions were installed. The attack exploited a known GitHub Actions Script Injection flaw, which was initially reported and patched but later reintroduced through a regression.