Listen to this Post

Introduction
A new wave of cyberattacks is turning popular open-source AI tools into weapons for profit. Malicious actors are exploiting vulnerabilities in AI development frameworks to hijack compute resources, creating a sprawling, stealthy cryptojacking operation that spans the globe. The implications for startups, research labs, and cloud-hosted AI environments are significant, highlighting the rising intersection between AI innovation and cybersecurity risks.
Global Cryptojacking Through Ray’s Vulnerability
Cybersecurity researchers at Oligo have revealed that hackers are exploiting an API flaw in Ray, an open-source framework designed to automate, scale, and optimize compute resources. Ray, often referred to as “Kubernetes for AI,” has become a crucial platform for machine learning workloads. The flaw allows unauthenticated remote code execution, enabling attackers to turn legitimate orchestration functions into self-propagating cryptojacking bots.
According to Oligo, attackers have manipulated Ray’s orchestration tools to spread malware across exposed clusters autonomously. This campaign has seen multiple criminal groups competing with legitimate users for access to compute resources while taking measures to evade detection. Techniques include limiting CPU usage, disguising malicious processes as legitimate services, and hiding GPU activity from Ray’s monitoring tools.
The attack surface is massive. Researchers estimate over 200,000 exposed Ray servers exist online, with a significant number belonging to active startups, research labs, and cloud-hosted AI environments. Some servers act as honeypots, but the overall scale of potential exploitation is alarming.
The latest campaign marks a significant evolution from prior attacks first discovered in 2023. Evidence suggests that a new set of actors has been active since September 2024, migrating between development platforms such as GitLab and GitHub to sustain the operation. Attackers initially gain access through the Job Submission API flaw, which allows them to send fraudulent tasks to Ray’s dashboard—intended for internal networks but often exposed publicly.
Instead of exploiting conventional vulnerabilities or launching network attacks, attackers leverage Ray’s own scheduling API, effectively weaponizing the victim’s infrastructure. Python code, indistinguishable from legitimate workloads, is deployed to hijack system resources. Once inside, attackers search specifically for NVIDIA A100 GPUs, exploiting their high compute value for cryptomining while minimizing detection.
The operation has unfolded in two phases. Initially, malware development and deployment occurred via GitLab, but following takedowns on November 5, attackers shifted to GitHub, creating new repositories to continue their campaign. As of mid-November, these attacks remained active, demonstrating the persistence and adaptability of the actors.
Interestingly, code artifacts suggest that attackers may have used large language models to obfuscate and automate parts of their operations. Despite public awareness, the underlying API flaw (CVE-2023-48022) remains unpatched. While the vendor argues Ray should only operate within controlled networks, real-world deployment practices often ignore this advice, leaving systems vulnerable.
What Undercode Say:
The evolution of cryptojacking through AI orchestration platforms signals a new era in cybercrime. By leveraging legitimate development tools, attackers bypass conventional security defenses and exploit the trust inherent in open-source frameworks. This trend illustrates how AI infrastructure, widely regarded as secure and innovative, can become a target for resource theft and malware propagation.
The use of Ray’s scheduling API rather than traditional CVE exploits is particularly noteworthy. It reflects a shift in attacker strategies toward exploiting operational logic rather than raw technical flaws, a method that allows for subtle, prolonged access to high-value computing resources. NVIDIA A100 GPUs, critical for AI training and high-performance computing, are an ideal target for attackers because of their cost and availability in cloud environments.
Persistence across multiple platforms like GitLab and GitHub underscores the attackers’ adaptability and the challenges of policing open-source ecosystems. Current defenses—takedowns and account removals—are reactive rather than preventative. In many cases, developers inadvertently create vulnerabilities by deploying Ray without internal network isolation, which perpetuates the attack window.
The competition among multiple criminal groups for compute resources also reflects the monetization potential of AI frameworks. Cryptojacking operations are evolving from opportunistic attacks into sophisticated, enterprise-level campaigns. By controlling orchestration layers, attackers can dynamically allocate and maximize resource use while remaining hidden from conventional monitoring tools.
Another critical insight is the likely use of AI-assisted coding for obfuscation. This suggests that attackers are integrating generative AI into their workflow, enabling them to produce complex, evasive malware more efficiently. This trend could represent the beginning of a feedback loop where AI both powers innovation and aids malicious operations in cybercrime.
The implications for AI governance are significant. Enterprises and cloud providers must reassess deployment practices, enforce stricter network isolation, and enhance monitoring of orchestration frameworks. Moreover, vendors like Ray must address vulnerabilities proactively to prevent abuse, rather than relying solely on user discipline.
campaign demonstrates the intersection of open-source AI, cloud computing, and cybercrime, highlighting that the very tools designed to accelerate innovation can be subverted into instruments of illicit profit.
🔍 Fact Checker Results:
✅ Attack exploits Ray API vulnerability (CVE-2023-48022).
✅ Over 200,000 exposed Ray servers exist, many in active AI environments.
❌ The API flaw has not been fully patched or mitigated despite prior disclosures.
📊 Prediction:
The trend of weaponizing AI orchestration platforms will likely accelerate. Hackers may increasingly integrate AI-assisted coding to scale cryptojacking and ransomware operations. Startups and research labs should anticipate growing scrutiny of cloud resource usage, while vendors face pressure to implement automated vulnerability detection and mitigation systems. The era of AI-powered cybercrime is expanding, and conventional security measures may struggle to keep pace.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberscoop.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




