Security researchers recently identified a fully Artificial Intelligence (AI)–generated malware sample exploiting the React2Shell vulnerability.
The activity was observed through a global honeypot network designed to capture live attacks against exposed cloud and container infrastructure.
The intrusion targeted an intentionally internet-facing Docker daemon with no authentication, a configuration that still appears frequently in mismanaged environments.
The attacker, documented by Darktrace in a new advisory published today, used the Docker application programming interface to deploy a malicious container, install basic tooling, and retrieve a Python-based payload hosted on public paste and code-sharing services.
The malware ultimately deployed a Monero cryptominer after validating Remote Code Execution (RCE).
“There’s nothing novel about the attack, vulnerability, or exploit. What’s interesting is the dramatic reduction in the effort required to assemble an end-to-end intrusion chain,” Christopher Jess, Senior R&D Manager at Black Duck told Expert Insights.
He added that coding agents and large language models are “compressing the attacker ‘time to tooling,’ enabling lower-skill operators to produce functional and adaptable exploit frameworks.”
Lower Skill, Higher Velocity
As mentioned above, analysis of the payload suggested it was generated with the assistance of a Large Language Model (LLM).
Extensive inline comments, structured documentation, and disclaimers such as “Educational/Research Purpose Only” stood out as atypical for commodity malware. The code quality appeared clean and readable, despite being used for malicious purposes.
While the cryptomining campaign generated only modest revenue, experts emphasized that financial impact is not the key signal.
Ram Varadarajan, CEO at Acalvio, warned, “The cold reality we are facing today is that AI will turn every cyber-hacker into a supervillain,” telling Expert Insights organizations will need to assume “breach as baseline” and rely more heavily on deception and AI-driven detection.
Others pointed to broader implications. Saumitra Das, Vice President of Engineering at Qualys, told Expert Insights that attackers are likely to adopt the same prompting-driven workflows already common among developers, leading to more automated attacks and faster discovery of exploitable weaknesses.
For defenders, traditional assumptions are eroding. As Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, observed, vibecoding favors speed and risk acceptance, enabling smaller and less mature groups to build operational tooling quickly.
“I expect to see an increase in smaller-scale threat actor communities, and an uptick in commercial crimeware adoption by these groups,” Ford told Expert Insights. “It will definitely add to the workload for the super scalers and browser providers.”
