Ddos 
A new class of cyberattack has been caught in the wild, one where the code isn’t written by a human hand, but generated entirely by artificial intelligence. Darktrace has released a report detailing an intrusion into its “CloudyPots” honeypot network, revealing a fully AI-generated malware sample designed to exploit the critical React2Shell vulnerability (CVE-2025-55182).
The attack began by targeting an internet-facing Docker daemon that was intentionally left exposed without authentication. The attacker spawned a container named “python-metrics-collector”βa legitimate-sounding name designed to blend in with normal cloud activity.
Inside the container, the startup command installed standard tools like curl, wget, and python3. It then downloaded and executed a Python script that Darktrace analysis confirmed was “fully AI-generated”.
The report points to a shift in the threat landscape where technical skill is no longer a barrier to entry.
“As AI-assisted software development (‘vibecoding’) becomes more widespread, attackers are increasingly leveraging large language models to rapidly produce functional tooling,” the report explains.
This allows even low-skill operators to punch above their weight class. “This incident illustrates a broader shift: AI is now enabling even low-skill operators to generate effective exploitation frameworks at speed”.
Despite the advanced generation method, the attacker’s operational security was surprisingly poorβa hallmark of an inexperienced “vibecoder.” The malware was designed to mine Monero (XMR) using the XMRig miner (version 6.21.0).
However, the attacker configured the miner to use a public mining pool, supportxmr.com, without realizing the transparency this created.
“Many attackers do not realise that while Monero uses an opaque blockchain… mining pools such as supportxmr will publish statistics for each wallet address that are publicly available,” Darktrace notes.
This oversight allowed researchers to track the attacker’s earnings directly, turning a stealthy crypto-mining operation into an open book.
The successful deployment of AI-written malware against a critical vulnerability like React2Shell signals that the speed of attacks is accelerating. Defenders must now contend with a flood of unique, AI-generated variations of malware that can be produced as quickly as a prompt can be typed.
Related Posts:
- “React2Shell” Crisis: Critical Vulnerability Triggers Global Cyberattacks by State-Sponsored Groups
- React Under Siege: Two IPs Drive 56% of Critical CVE-2025-55182 Attacks
- “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
- Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
