Malicious actors are exploiting a critical API flaw in Ray—an open-source framework widely used to scale and manage AI workloads—turning legitimate development environments into a massive global cryptojacking system, according to new research by cybersecurity firm Oligo.
The vulnerability affects Ray’s Job Submission API, which allows unauthenticated remote code execution. Ray, often described as “Kubernetes for AI,” has become popular among AI startups, research labs, and cloud environments due to its ability to orchestrate large-scale compute resources.
AI Tools Hijacked for Worldwide Cryptomining
Oligo researchers Ari Lumelsky and Gal Elbaz found that attackers have weaponized Ray’s scheduling and orchestration capabilities to create a self-propagating cryptomining botnet. The malicious operation spreads autonomously across exposed Ray clusters, taking advantage of compute-heavy large language model (LLM) environments.
To stay hidden, attackers masked their processes as legitimate Ray services, limited CPU usage, and concealed GPU activity. This enabled them to quietly exploit high-end hardware—especially NVIDIA A100 GPUs, which cost up to $4 per hour on many cloud platforms and are highly attractive to cryptominers.
Researchers estimate the potential attack surface is vast, with more than 200,000 Ray servers exposed online. While not all are confirmed compromised, many belong to active AI companies and research institutions, while others appear to be honeypots monitoring malicious behavior.
A New Wave of Attacks on an Old Flaw
The cryptojacking campaign represents a significant evolution of attacks exploiting the same vulnerability first identified in 2023. Oligo believes a new threat group is responsible and may have been operating undetected since September 2024, migrating between GitLab and GitHub development environments.
Access was gained through the exposed API, after which attackers issued fraudulent tasks to Ray’s dashboard—a component intended for internal use only, but frequently left open on the public internet. From there, they expanded through the network and deployed malware.
“What makes this campaign unique is that attackers didn’t rely on traditional exploits,” the researchers wrote. “They used Ray’s own APIs and Python execution mechanisms exactly as designed—just for malicious intent.”
Two-Phase Operation Spanning GitLab and GitHub
The campaign unfolded in two distinct waves:
- Phase One: Attackers hosted and distributed malware via GitLab until the activity was discovered and removed on November 5.
- Phase Two: Within days, the group resurfaced on GitHub, repeatedly creating new repositories after takedowns. As of November 17, the operation was still active.
GitHub confirmed it is investigating and has removed accounts violating platform policies related to malware activity.
Some artifacts gathered from the attackers’ obfuscation attempts suggest parts of the malware code were generated using large language models, according to Oligo.
A Critical Flaw Still Unpatched
The vulnerability at the center of the attacks—CVE-2023-48022—remains unpatched. According to MITRE, the bug persists because the Ray project disputes the need for a fix, noting the framework was never intended to be deployed outside secured internal networks.
However, Oligo warns that many organizations ignore the guidance and run Ray in internet-accessible environments, creating dangerous opportunities for attackers.
“This continues to provide a broad window for exploitation,” the researchers wrote, highlighting that the ongoing campaign demonstrates both the scale and severity of the issue.
