"Agentic" AI could arrive in 2025, and it may allow hackers to send individual, AI-powered agents to do their dirty work.

A paradigm shift in technology is hurtling towards us, and it could change everything we know about cybersecurity.

Uhh, again, that is.

When ChatGPT was unveiled to the public in late 2022, security experts looked on with cautious optimism, excited about the new technology but concerned about its use in cyberattacks. But two years on, much of what ChatGPT and other generative AI chat tools offer attackers is a way to improve what already works, not new ways to deliver attacks themselves.

And yet, if artificial intelligence achieves what is called an “agentic” model in 2025, novel and boundless attacks could be within reach, as AI tools take on the roles of “agents” that independently discover vulnerabilities, steal logins, and pry into accounts.

These agents could even hold people for ransom by matching stolen data online with publicly known email addresses or social media accounts, composing messages and holding entire conversations with victims who believe a human hacker out there has access to their Social Security Number, physical address, credit card info, and more. And if the model works for individuals, there’s little reason it wouldn’t work for individual business owners.

This warning comes from our 2025 State of Malware report, which compiled a year’s worth of intelligence to identify the most pressing cyberattacks on the horizon. Though the report’s guidance serves IT teams, its threats will impact individuals and small businesses everywhere. Remember that just last year a widespread IT outage grounded flights globally, cementing the relationship between companies, cybersecurity, and everyday people.

In 2025, agentic AI may further reveal just how closely tied everyone is in the battle for cybersecurity. Here’s what we might expect.

You can find the full 2025 State of Malware report here.

****The generative AI non-revolution****

The November 2022 launch of ChatGPT ushered forth a new relationship with our computers. No longer would we need to use our laptops, smartphones, and tablets to record or assist our creative work. Now, we could make those same machines complete the creative work for us.

AI image tools like Midjourney and DALL-E can create images when given simple text prompts. They can even mimic the styles of famous artists, like Van Gogh, Rembrandt, and Picasso. AI chat tools like ChatGPT, Google Gemini, and Claude—from OpenAI competitor Anthropic—can brainstorm ideas for marketing materials, write book reports, compose poems, and even review human-written text for legibility. These tools can also answer an endless array of factual questions, much like the separate AI tool Perplexity, which advertises itself not as a “search engine,” but as the world’s first “answer engine.”

This is the potential of “generative AI,” a term used to describe AI tools that can generate text, images, movies, summaries, and more, limited only by our imagination.

But where has that imagination brought us?

For unimaginative users, generative AI has made it easier to cheat in college classes and to abuse social media engagement algorithms to gain brief virality—hardly inspiring. And for malicious users, hackers, and scammers, generative AI has delivered oil-slick efficiency to proven attack methods.

Generative AI tools can more convincingly write phishing emails so that the tell-tale signs of a scam—like misspellings and clumsy grammar—are all but gone. The same is true for all text-based social engineering tricks, as AI chat tools can write alluring direct messages for romance scams and craft urgent-sounding texts that can fool people into clicking on links that carry malware.

Importantly, the attack methods here are not new. Instead, they’ve simply become easier to scale with the use of AI. But sometimes the AI pushes back.

With limitless, advertised potential, even tools like ChatGPT have boundaries, often precluding users from producing materials that could cause harm. In 2023, Malwarebytes Labs subverted these boundaries to successfully get ChatGPT to write ransomware—twice.

Because of these prohibitive rules, a set of malicious copycat AI tools can now be found online that will produce text and images that often break the law. One example is in the creation of “deepfake nudes,” which utilize AI technology to digitally stitch the face of one person onto another person’s nude body, creating fake nude “photographs.” Deepfake nudes have caused multiple crises across high schools in America, serving as a new type of ammunition for old weaponry: Blackmail.

The ability to create false text, images, and even audio has also allowed cybercriminals to create more believable threats when fraudulently posing as CEOs or executives to convince employees to, say, sign a bogus contract or hand over a set of important account credentials.

These are real threats, but they are not novel. As we wrote in the 2025 State of Malware report:

“The limited impact of AI on malware stems from its current capabilities. Although there are notable exceptions, generative AIs tend to provide efficiency rather than brand new capabilities. Cybercrime is a very mature field that relies on a set of well-established tools, such as phishing, information stealers, and ransomware that are already feature complete.”

That could change in 2025.

****“Agentic” AI and a new landscape of attacks****

Agentic AI is the next big thing in artificial intelligence, even if you’ve never heard about it before.

Google, Amazon, Meta, Microsoft, and more have all begun experimenting with the technology, which promises to take AI out of its current chatbot silo and into a new landscape where individualized AI “agents” can help with specific tasks. These agents could, for example, more effectively respond to simple customer support questions, help patients find in-network providers with their health insurance, and even suggest strategy based on a company’s most recent performance. Microsoft, for its part, has already teased its AI agent that answers employee questions around HR policies, holiday schedules, and more. Salesforce, too, is investing heavily in agentic AI, positioning the technology as a personal assistant for everyone.

As we wrote in the 2025 State of Malware report:

> “If agentic AIs arrive in 2025, they won’t just answer questions, they will be able to think and act, transforming AI from an assistant that responds to prompts, into a peer, or even an expert that can plan out tasks, interact with the world, and solve the problems it encounters.”

The implications for cyberattacks are enormous. If put into the wrong hands, malicious attackers could ask AI agents to:

*   Search vast troves of stolen data to match leaked Social Security numbers with leaked email addresses, composing and sending phishing emails that threaten more data exposure unless a ransom is paid.
*   Scrape public social media feeds for baby photos that are delivered to other AI agents that create fake profiles that weaponize those baby photos as empty threats against a child’s safety.
*   Scour LinkedIn to create a database of potentially viable email addresses from countless companies by deducing the email address format—first name, last name; first initial, last name; etc.—from publicly listed email addresses, and then mirroring that format to write and send bogus requests from executives to their direct reports.
*   Comb through public divorce records across multiple states and countries to identify targets for romance scams, who receive messages and who can carry on with whole conversations composed and controlled by another AI agent.

These attacks threaten not only individuals but small businesses, too, as a vulnerability in a person’s device can become a malware attack on a network. The same is true in reverse—if attacks on companies become more accessible, then the data that people give these companies becomes more vulnerable to exposure.

Thankfully, where agentic AI poses a risk, it also poses a boon, as individual AI agents could be tasked with finding a company’s vulnerabilities, responding to suspicious activity on its network, and even guiding everyday people into safely posting online, searching the web, and buying from unknown retailers.

The truth is that AI is here to stay. There is already too much investment from the largest developers and companies for that to reverse course any time soon. So, if the threat is that attackers might harness this AI, then the foreseeable future will involve a lot of defenders and everyday people harnessing it, too.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 New AI &#8220;agents&#8221; could hold people for ransom in 2025 

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/users/password endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the newPassword PUT parameter. The issue arises in users.js, where the new password is hashed and improperly escaped before being passed to ChildProcess.exec() within a usermod command, allowing out of band (blind) command injection.

Title: ABB Cylon FLXeon 9.3.4 (users.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5912  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 04.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/users/password endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the newPassword PUT parameter. The issue arises in users.js, where the new password is hashed and improperly escaped before being passed to ChildProcess.exec() within a usermod command, allowing out of band (blind) command injection.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[04.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_rce6.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841  
\[3\] https://packetstorm.news/files/id/188993/

**Changelog**

\[04.02.2025\] - Initial release  
\[05.02.2025\] - Added reference \[3\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (users.js) Authenticated Root Remote Code Execution

Austin, TX, USA, 4th February 2025, CyberNewsWire

**Austin, TX, USA, February 4th, 2025, CyberNewsWire**

SpyCloud’s Identity Threat Protection solutions spearhead a holistic identity approach to security, illuminating correlated hidden identity exposures and facilitating fast, automated remediation.

SpyCloud, a leading identity threat protection company, announced key innovations in its portfolio, pioneering the shift to holistic identity threat protection. By operationalizing its vast collection of darknet data with automated identity analytics that correlate malware, phishing, and breach exposures across individuals’ past and present work and personal personas, SpyCloud enables security and fraud prevention teams to comprehensively uncover hidden identity assets, rapidly remediate exposures, and better protect their businesses from previously unseen threats.  

Identity security vendors have focused narrowly on securing corporate accounts, leaving organizations vulnerable to cybercriminals exploiting the broader identity exposures of employees, consumers, and suppliers. A shift to an identity-centric perspective is needed, particularly as the scope of identity exposures continues to grow. SpyCloud research reveals that the average individual has as many as 52 unique usernames/emails and 221 passwords exposed on the darknet across their online personal and professional identities. 

The impact of these exposures is evident: nearly a quarter of data breaches resulted from compromised identity data. Credential attacks led to $4.81 million in related costs per breach and took the longest to identify and contain. 

SpyCloud’s holistic identity threat protection addresses these challenges by encompassing the full spectrum of an individual’s online presence. This innovative approach empowers security teams to proactively protect against previously unseen risks, including the darknet exposures of identity and authentication data stolen about employees, consumers, and suppliers that have been beyond their visibility to date. 

> “The cybersecurity industry has spent years and billions of dollars securing accounts, but criminals have moved far beyond account-level access,” said **Ted Ross, SpyCloud’s CEO and Co-Founder**. “The dirty secret of the identity security industry is that efforts to lock down the perimeter fail because they focus on accounts, while bad actors target the full scope of users’ holistic identities. These sprawling identities, exposed through breaches, infostealer infections, and phishing attacks, create shadow data that traditional tools simply can’t address. ”

> Ross continued, “SpyCloud changes the dynamic by providing unmatched visibility into the same data criminals are exploiting, enabling organizations to remediate exposures across the entirety of users’ online personas. This shifts the advantage back to security leaders, empowering them to act on threats that were previously beyond their reach.”

**Key Innovations Underpinning SpyCloud’s Holistic Identity Threat Protection** 

*   **Refined analytics driving actionability on exposed identities:** SpyCloud applies advanced data science and proprietary technology to dynamically correlate billions of recaptured darknet data points, providing a broader and more accurate view of identities. By connecting authentication data, financial data, and personally identifiable information (PII), SpyCloud uncovers hidden relationships across seemingly unrelated accounts, continuously and at scale.
*   **Automated remediation in <15 minutes:** SpyCloud’s holistic identity portfolio now enables rapid, automated remediation within enterprise security ecosystems, including EDR, IdP, SOAR, and SIEM tools. This allows security teams to neutralize threats in less than 15 minutes of discovery, reducing risk without straining resources or operational bandwidth.
*   **Malware reverse engineering to combat ransomware:** SpyCloud specializes in the tracking and analyzing of malware – with deep insights into pervasive infostealers such as Lumma C2, Redline Stealer, Vidar, and more – as they are often a precursor to ransomware. Through its advanced malware reverse analysis, SpyCloud provides comprehensive visibility into malware-exposed data, helping organizations identify compromised devices, users, and applications and closes critical security gaps, including those stemming from unmanaged or under-managed devices used by employees, contractors, and vendors.
*   **Accelerated cybercrime investigations:** SpyCloud’s Investigations solution, used by cyber threat intelligence (CTI) teams, security operations, fraud and risk prevention analysts, and law enforcement globally, includes automated identity analytics to uncover the full scope of digital identity exposures, accelerating complex cybercrime investigations into threat actor attribution, insider risk (including potential hiring fraud), and supply chain risk analysis from days or hours to minutes.

**SpyCloud’s Capabilities Set a New Standard for Identity Security**

SpyCloud champions the transition to holistic identity security, backed by nearly a decade of experience and the industry’s largest repository of recaptured breach, malware-exfiltrated, and successfully phished data. Its holistic identity lens reveals a comprehensive view of exposed identity information – from credentials and PII to financial data and sensitive digital artifacts.

> “SpyCloud’s innovative identity threat protection is about as important as it gets in cyber; identity is **everything**,” said **John N. Stewart, SpyCloud Board Member and former Chief Security and Trust Officer of Cisco.** “By making it possible to view and act on the world’s best source for identity exposures, SpyCloud raised the bar to the top for proactive defense against all types of identity-driven cyber exploitation.”

> “We are redefining identity security by making holistic protection practical and achievable for our customers,” added **Damon Fleury, SpyCloud’s Chief Product Officer.** “SpyCloud has a long history of leading the way in understanding the cybercrime ecosystem, from our early days in world-class ATO prevention to continuing to build solutions that empower organizations to proactively protect against threats stemming from infostealer malware, phished and breach data.” 

> Fleury continued, “This evolution to make holistic identity threat protection a reality for enterprises is critical to our mission of disrupting cybercrime. We aim to stop identity-based threats once and for all.”

To learn more, users can contact SpyCloud or view the following resources:

*   The Holistic Identity Frontier: Why Shift from account-centric Security to holistic identity threat protection
*   Stop identity-based cybercrimes once and for all

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Public Relations**  
**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Pioneers the Shift to Holistic Identity Threat Protection

Taiwan has become the latest country to ban government agencies from using Chinese startup DeepSeek's Artificial Intelligence (AI) platform, citing security risks.
"Government agencies and critical infrastructure should not use DeepSeek, because it endangers national information security," according to a statement released by Taiwan's Ministry of Digital Affairs, per Radio Free Asia.
"DeepSeek

Taiwan Bans DeepSeek AI Over National Security Concerns, Citing Data Leakage Risks

An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.

Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden

PRESS RELEASE

WASHINGTON, Jan. 30, 2025 /PRNewswire/ -- DNSFilter announced today the release of its 2025 Annual Security Report, showcasing an uptick in malicious requests from 2023 to 2024. At internet scale, threats are relentless, but so is the right combination of intel and security strategy. Each malicious request blocked represents a real attack prevented, real harm avoided and real people and organizations protected.

The DNSFilter network processes about 170 billion DNS queries daily, 200 million of which are categorized as threats and blocked. These numbers represent phishing campaigns that never reached their targets, ransomware that never infiltrated networks and malware that never had the chance to spread.

Key findings from the report include:

*   One in every 174 requests is malicious: Most people make 5,000 DNS requests daily, which means a single person could encounter as many as 29 threat inquiries in a single day. This represents a significant increase from last year's findings, where one in every 1,000 queries was a threat.
    
*   AI domains increased by 15% but drove a significant amount of traffic: DNSFilter's researchers found that between October 2023 and September 2024, overall traffic to AI-related sites increased 786% and the number of individual AI domains rose 15%. This shows that a small number of domains account for a significant amount of traffic.
    
*   Phishing queries increased by 203%: While the relative distribution of threats remained consistent over time, phishing and malware inquiries increased (up 14%). This is in-line with a marked increase in ransomware seen across the industry.
    

Ken Carnesi, CEO and co-founder, DNSFilter, said: "Even as the threat landscape changes, our mission remains the same: to defend organizations and people from the worst of the internet. The data from our report makes it clear that DNS continues to be a critical threat gateway. It's also a reminder of the crucial role DNSFilter fills as a frontline defender on the DNS layer. We'll continue to improve, innovate and stand in the gap between our customers and the real-world harm bad actors are trying to cause."

About the company:

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the Internet safer and workplaces more productive by blocking threats at the DNS layer. DNSFilter resolves upwards of 170 billion daily queries. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world's fastest protective DNS powered by AI, blocking threats an average of 10 days faster than traditional threat feeds. Over 35 million users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats.

You May Also Like

DNSFilter's Annual Security Report Reveals Worrisome Spike in Malicious DNS Requests

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

Title: ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution  
Advisory ID: ZSL-2025-5911  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 03.02.2025

**Summary**

BACnet® Smart Building Controllers. ABB's BACnet portfolio features a series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ building management solutions. ABB BACnet controllers are designed for intelligent control of HVAC equipment such as central plant, boilers, chillers, cooling towers, heat pump systems, air handling units (constant volume, variable air volume, and multi-zone), rooftop units, electrical systems such as lighting control, variable frequency drives and metering.

The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented connectivity and open integration for your building automation systems. It's scalable, and modular, allowing you to control a diverse range of HVAC functions.

**Description**

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

FLXeon Series (FBXi Series, FBTi Series, FBVi Series)  
CBX Series (FLX Series)  
CBT Series  
CBV Series  
Firmware: <=9.3.4

**Tested On**

Linux Kernel 5.4.27  
Linux Kernel 4.15.13  
NodeJS/8.4.0  
Express

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[20.01.2025\] Vendor releases version 9.3.5 to address this issue.  
\[03.02.2025\] Coordinated public security advisory released.

**PoC**

abb\_flxeon\_rce5.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48841

**Changelog**

\[03.02.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution

PRESS RELEASE

MONTREAL, January 29, 2025 (Newswire.com) - Flare, the global leader in Threat Exposure Management, has introduced Flare Academy, an educational hub featuring interactive online training offered free-of-charge to cybersecurity professionals.

Led by Flare's team of subject matter experts, Flare Academy offers a variety of online training modules on the latest cybersecurity threats to enhance the education and knowledge of cybersecurity practitioners. These sessions will highlight a variety of important topics, including investigation and intelligence gathering on cybercrime forums, techniques for deanonymizing threat actors, and ransomware analysis and infiltration.

Through interactive training sessions, security professionals can upgrade their skills and knowledge on a variety of cybercrime and cybersecurity topics, and earn CPE credits toward security certifications. And with the Flare Academy Discord Community, members can build relationships with other practitioners for continuous learning and engagement.

"Flare Academy will provide cybersecurity professionals with access to training, collaborative discussions, and cutting-edge resources," said Mathieu Lavoie, CTO & Research Team Lead at Flare. "We've launched this program with the goal of helping to empower security professionals with the training and information they need to stay ahead of threats and build a stronger, safer digital world."

A number of training modules are currently available for registration, including:

For more information about Flare Academy, and to register for upcoming modules, visit https://flare.io/trainings/.

About Flare

Flare is the leader in Threat Exposure Management, helping organizations of all sizes detect high-risk exposure found on the clear and dark web. Combining the industry's best cybercrime database with an incredibly intuitive user experience, Flare enables customers to reclaim the information advantage and get ahead of threat actors. For more information, visit https://flare.io.

You May Also Like

Interactive Online Training for Cybersecurity Professionals; Earn CPE Credits

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

Source: ifeelstock via Alamy Stock Photo

Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that's probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with care.

Researchers with Positive Technologies discovered the malicious packages, labeled "deepseekai" and "deepseeek," trying to trick developers into thinking they were legit.

"The attack targeted developers, machine learning \[ML\] engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems," the Positive Technologies researchers wrote in an analysis.

The account behind the attack, "bvk," was created in June 2023 and sat dormant until the campaign sprang to life on Jan. 29, according to the report. When executed, the researchers noted both "deepseeek" and "deepseekai" drop infostealers to steal sensitive data, including API keys, database credentials, and permissions.

The malicious PyPi packages have been deleted, but there's evidence they were downloaded 36 times using the pip package manager and the bandersnatch mirroring tool, and 186 times using the browser, the researchers reported.

"Sometimes API keys aren’t leaked, they’re just plain stolen," Tim Erlin, vice president of product at Wallarm says. "This incident is a good example of attackers taking advantage of the prevailing news cycle. Anytime you’re doing something popular, whether clicking on a link or installing a PyPi package, it’s best to approach the task with a healthy dose of skepticism."

Related:'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

That mindset can help developers avoid making similar cybersecurity slip-ups, according to Mike McGuire, senior security solutions manager with Black Duck.

"In their eagerness to leverage DeepSeek in their tasks, many developers missed the 'red flag' that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result," McGuire says.

Ironically given how advanced DeepSeek's capabilities are touted to be, the attack itself was a fairly low-tech affair, Michael Lieberman, CTO at Kusari, notes.

"Typosquatting attacks are popular because they work," Kusari points out. "It's easy for a developer to mistype a word or use something with a similar-sounding name and suddenly their application is pulling in malicious code. Popular or trendy technologies are at particular risk since the pool of potential victims is larger."

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

**Adversaries Using AI to Write Code Faster Too**

In a novel twist, the researchers found evidence the threat actors used AI to write the malicious code.

"There are clear indications that the compromised code was written with AI assistance, providing a real-world example of AI being used for malicious intent," Wallarm's Erlin says.

Erlin adds that developers should expect similar malicious packages to be scattered among various platforms.

"Developers, with malintent or not, are heavily invested in using AI to be more efficient." he adds. "AI lets developers write more code, faster. We should expect to see the volume of malicious code expand at the same rate as code in general."

To protect their environments from these threats, Raj Mallempati, CEO of BlueFlag Security, says developers need to implement strong security practices throughout the software development lifecycle (SDLC). That means using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.

"This recent incident underscores the need for developers to specifically protect against threats like OSS typosquatting," Mallempati explains. "Double checking package names and verifying package sources that come from DeepSeek will be key here. As well, developers should enable dependency scanning tools like Github dependabot to ensure they are not downloading malicious packages."

Related:Code-Scanning Tool's License at Heart of Security Breakup

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

DeepSeek R1, a cost-efficient AI model, achieves impressive reasoning but fails all safety tests in a new study…

DeepSeek R1, a cost-efficient AI model, achieves impressive reasoning but fails all safety tests in a new study by Cisco’s Robust Intelligence. Researchers used algorithmic jailbreaking to demonstrate 100% vulnerability to harmful prompts, raising concerns about its training methods and the need for superior AI security measures.

Chinese start-up DeepSeek has gained attention for introducing large language models (LLMs) with advanced reasoning capabilities and cost-efficient training. Its recent releases DeepSeek R1-Zero and DeepSeek R1 have achieved performance comparable to leading models like OpenAI’s o1 at a fraction of the cost and outperformed Claude 3.5 Sonnet and ChatGPT-4o on tasks like math, coding, and scientific reasoning.

 However, the latest research from Robust Intelligence (now part of Cisco) and the University of Pennsylvania, shared with Hackread.com, reveals critical safety flaws.

Researchers reportedly collaborated to investigate the security of DeepSeek R1, a new reasoning model from the Chinese AI startup DeepSeek. The assessment cost was less than $50 and involved using an algorithmic validation methodology.

The team tested DeepSeek R1, OpenAI’s o1-preview, and other frontier models using an automated jailbreaking algorithm applied to 50 prompts from the HarmBench dataset. These prompts spanned six categories of harmful behaviour, including cybercrime, misinformation, illegal activities, and general harm. 

Their key metric was the Attack Success Rate (ASR), measuring the percentage of prompts that elicited harmful responses. The results were alarming: DeepSeek R1 exhibited a 100% attack success rate, failing to block a single harmful prompt. This contrasts sharply with other leading models, which demonstrated at least some level of resistance to such attacks. 

It is worth noting that researchers used a temperature setting of 0 for reproducibility and verified jailbreaks through automated methods and human oversight. DeepSeek R1’s 100% ASR starkly contrasts with o1, which successfully blocked many adversarial attacks. This suggests that DeepSeek R1 while achieving cost efficiencies in training, has significant trade-offs in safety and security.

Via Cisco’s Robust Intelligence

For your information, DeepSeek’s AI development strategy utilizes three core principles- Chain-of-thought” prompting, reinforcement learning, and distillation, which enhance its LLMs’ reasoning efficiency and self-evaluate reasoning processes.

As per Cisco’s investigation these strategies, while being cost-efficient, may have compromised the models’ safety mechanisms. Compared to other frontier models, DeepSeek R1 appears to lack effective guardrails, making it highly susceptible to algorithmic jailbreaking and potential misuse.  

The research emphasizes the need for rigorous security evaluation in AI development to balance efficiency and reasoning without compromising safety. It also highlights the significance of third-party guardrails for consistent security across AI applications.

Tag

#intel