AI/LLM-Generated Malware Used to Exploit React2Shell

Feb. 11, 2026, 10:05 a.m.

Description

Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container named 'python-metrics-collector' on an exposed Docker daemon, downloading and executing a Python script, and deploying a XMRig crypto miner. The malware sample featured thorough code documentation and lacked typical obfuscation, indicating AI generation. This highlights the growing trend of AI-enabled cyber threats that are now operational and accessible to anyone, posing new challenges for defenders.

External References

https://otx.alienvault.com/pulse/698b6edf3ed1fb010015cd2d
https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN
Tags
xmrig
llm
crypto mining
CVE-2025-55182
react2shell
2026-02-10
ai-generated malware

Date

  • Created: Feb. 10, 2026, 5:46 p.m.
  • Published: Feb. 10, 2026, 5:46 p.m.
  • Modified: Feb. 11, 2026, 10:05 a.m.

Indicators

  • 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b
  • d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d
  • 49.36.33.11
Download all indicators here!

Attack Patterns

  • XMRig

Additional Informations

  • smplu.link

Linked vulnerabilities

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025