Summary

The Fooocus fork SimpleSDXL depends extensively on the package simpleai_base, owned by the same maintainer. simpleai_base contains compiled Rust code that includes an undisclosed remote access function using Rust crate rathole, extensive system information gathering via concealed system executable calls, and an undisclosed phone-home function that uploads this information to tokentm.net, a blockchain-associated domain. Recently, simpleai_base was recently removed from PyPI after being reported for the same reasons given here; however the current dev SimpleSDXL code instead installs a pre-compiled wheel downloaded from Github.

Details

• The upload function concealed within the main branch version of simpleai_base (now removed from PyPI) is found at src/env_utils.rs#L238
• There is extensive discussion of these issues between myself and occasional Fooocus/SimpleSDXL contributor @DavidDragonsage here and here.
• Mr Sage also posted to the PureFooocus Facebook group as follows:

On an emotional level, I do feel betrayed by the presence of security problems in SimpleSDXL [i.e. with simpleai_base] and I feel personally responsible for promoting its use.

• While the rathole function within simpleai_base is apparently inactive (see the PyPI-removed code and the dev code), there is no way to verify that this remote access function was not enabled in the compiled code. The tokentm.net domain hosts the configuration file for an earlier VPN implementation that points to a domain (n2n.token.tm:12101) currently blocked on behalf of the Chinese authorities because the domain owner failed to prove their identity as required under Chinese law.
• The SimpleSDXL maintainer has declined to answer questions about concealed communication with third-party servers and the unnecessary use of binary code (see simpleai_base issue 1 and SimpleSDXL issue 97)
• If you visit the tokentm.net dedicated server's web interface (don't worry it's just a bunch of files, plus whatever logging is running in the background to capture uploaded sysinfo files from unsuspecting SimpleSDXL users), you will see under pkg/n2n/ a sample config file intended to assist with the configuration of a VPN to a server blocked by Tencent because the tokentm.net owner failed to file the relevant identification paperwork pursuant to Chinese law.
• Notably, most of the functions relied upon to implement the 'identity' setup in the dev branch were already present in the compiled simpleai_base Rust code associated with the 0916 and 0820 versions of SimpleSDXL.

PoC

1. Install SimpleSDXL from the dev branch (as the main branch will not reliably reproduce this issue due to PyPI Security taking down the simpleai_base package)
2. Within your venv site-package's simpleai_base folder, you will observe a compiled .pyd file containing the concealed Rust functions
3. It is not possible to verify that the compiled functions match those in the simpleai_base/src folder; however the 'dev' version more aggressively utilizes the compiled certificate functions per the announcement made by the package maintainer here
4. You may wish to install wireshark or another packet sniffer to observe the exact patterns of communication; however, this appears unnecessary given the concerns that can be clearly ascertained by reviewing the Rust source code in the simpleai_base repository

Impact

All users who have installed SimpleSDXL since at least September 2024 have had extensive system information silently uploaded to a remote server associated with blockchain technologies, probably repeatedly, and may have been more severely impacted than is presently knowable due to the presence of an undisclosed VPN function in the compiled Rust code.