Listen to this Post
Introduction
The Silent Siege on AI Compute Power
A new digital battlefield is emerging, and this time the war is unfolding inside the very systems designed to build the future of artificial intelligence. Across research labs, startups, and massive cloud clusters, attackers are quietly taking over AI infrastructure and converting it into a global, self-sustaining cryptomining engine. This is the world of ShadowRay 2.0, an escalating campaign powered by a disputed vulnerability inside the Ray framework. What began as an overlooked flaw has now become a gateway into thousands of AI clusters, reshaping the threat landscape at a scale few anticipated.
ShadowRay 2.0 Turns AI Clusters into Crypto Botnets
(Summary — approx. 30 lines)
The ShadowRay 2.0 campaign centers around a remote code execution vulnerability in the Ray framework, widely used for orchestrating AI workloads like training and distributed data processing. Although this flaw, tracked as CVE-2023-48022, has been formally contested by Ray’s maintainers, attackers have nevertheless exploited it with startling efficiency. Oligo Security reports that threat actors under the alias IronErn440 are leveraging exposed Ray dashboards and Jobs APIs to seize full control of clusters, using Ray’s own orchestration features to propagate malware.
Once inside a targeted environment, the attackers convert compromised AI systems into multipurpose engines that mine cryptocurrency, exfiltrate sensitive data, and spread to additional Ray deployments. What makes the attack especially dangerous is the rapid increase in exposed Ray servers. In less than a year, the number of Internet-accessible Ray environments ballooned from a few thousand to roughly 230,000, dramatically expanding the threat surface. Oligo’s scans indicate that many of these instances are vulnerable and potentially already compromised.
The campaign has evolved across two major attack waves. In the first phase, the attackers used GitLab as their command-and-control hub, deploying AI-generated malware payloads, updating code through CI/CD pipelines, and running stealth-limited cryptomining operations. These payloads harvested MySQL credentials, cloud tokens, proprietary models, and source code while ensuring resource usage stayed low enough to evade detection. Targets included AI-driven startups, cloud deployments, and research institutions.
After GitLab disabled the malicious accounts, the attackers quickly migrated operations to GitHub. This second phase brought more sophisticated payloads optimized for GPU-based mining using XMRig and Rigel. They began seizing larger clusters, sometimes with thousands of nodes valued at millions of dollars in compute capacity, pushing CPUs to full utilization for mining.
The root of the issue lies in the disputed nature of the vulnerability itself. Anyscale, Ray’s maintainer, argues that the design poses no risk when the framework is used in properly secured, internal deployments. Without an official patch, organizations have been left to self-secure their environments, creating uneven protections and leaving thousands exposed.
ShadowRay 2.0 highlights how configuration oversights in AI tooling can enable attackers to hijack compute resources, run unauthorized workloads, steal sensitive data, and use compromised nodes as launchpads for further intrusion. Oligo recommends organizations harden Ray installations by enforcing best practices, eliminating accidental exposure, and applying authorization layers to Ray Dashboard ports. Without such steps, unresolved and disputed vulnerabilities will continue to form openings for increasingly aggressive campaigns.
What Undercode Say:
(Analytic Expansion — approx. 40 lines)
ShadowRay 2.0 embodies the next phase of cyberattacks where adversaries pivot from traditional servers to high-value AI infrastructures. These environments, powered by expensive GPUs and distributed orchestration frameworks, offer an irresistible target. The economics alone explain the motivation. A single large AI cluster may represent millions of dollars in compute power, and when hijacked, it becomes a ready-made cryptomining factory that costs the attacker nothing to maintain.
What stands out in this campaign is how attackers repurpose the same tools used by legitimate developers. They leverage APIs meant for distributed jobs, exploit automation intended for rapid deployment, and use CI/CD pipelines to dynamically update malicious payloads. This blurs the line between operational functionality and exploitability. Ray’s design prioritizes performance and ease of scaling, but that optimization becomes a liability when its interfaces are exposed to the Internet.
The migration from GitLab to GitHub demonstrates an adaptive adversary. Unlike older botnets that relied on static infrastructure, ShadowRay 2.0 behaves more like a living organism. It evolves, moves, and adjusts its methods based on defender response. Once one command-and-control channel is removed, a new one emerges within days. This agility is amplified by the use of AI-generated malware, which can modify codebases quickly and mimic benign processes with alarming precision.
The campaign’s data theft component is equally concerning. Stolen API keys, cloud tokens, AI model files, and proprietary datasets represent intellectual property losses that can cripple startups or compromise confidential research. Cryptomining is only the visible output. The deeper objective seems to be long-term persistence and data harvesting.
ShadowRay 2.0 also reveals a systemic issue. AI frameworks like Ray, designed for internal use in controlled labs, are routinely deployed exposed to the public Internet. The assumption that administrators will secure these systems clashes with real-world deployment culture, where speed often outweighs security. As AI adoption accelerates, these frameworks become high-value backdoors rather than niche technologies.
The lack of an official patch deepens the problem. When a vulnerability is disputed, organizations face ambiguity. Some assume minimal risk, others rely on default configurations, and many simply don’t realize their deployments are exposed. This gray zone becomes fertile ground for attackers.
ShadowRay 2.0 is a warning that AI infrastructure must now be treated with the same rigor as critical cloud platforms. Without mandatory authentication, hardened defaults, and explicit configuration guidance, the ecosystem will remain vulnerable. Attackers have already proven they can hijack AI systems to attack other AI systems. The next escalation could involve poisoning models, corrupting training data, or embedding persistent backdoors into pipelines.
In essence, ShadowRay 2.0 signals the emergence of AI-native cyber threats. Not attacks that simply involve AI, but attacks that exploit the very fabric of AI compute environments.
🔍 Fact Checker Results
CVE-2023-48022 is confirmed as a real vulnerability, though disputed by Ray’s maintainers.
Oligo Security has verified active exploitation and large-scale cluster compromise.
Attack migration from GitLab to GitHub has been documented in incident timelines.
📊 Prediction
ShadowRay-style campaigns will expand as attackers recognize the profitability of AI infrastructure.
Future botnets may target training pipelines, corrupt model datasets, and weaponize AI outputs.
Organizations failing to secure orchestration frameworks will likely face widespread compromise within the next 12 months.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.darkreading.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
