Attackers are once again exploiting the Ray AI vulnerability, a flaw that has lingered for two years and is now driving a new wave of compromises across AI and machine learning clusters. Security firm Oligo revealed that the latest campaign is hitting exposed environments at scale, turning unsecured Ray clusters into targets for cryptomining, data theft, lateral movement, and automated self-propagation.
Ray, created by Anyscale, is widely used to scale Python-based AI workloads. Teams deploy Ray clusters in the cloud to handle training, inference, and distributed computing tasks. But Ray has never included built-in authentication, and its documentation has long warned users to place clusters behind locked-down, trusted networks. Because many organizations ignored those warnings, the Ray AI vulnerability remained a serious risk for anyone exposing their dashboards to the open internet.
The flaw, identified as CVE-2023-48022 and carrying a 9.8 CVSS score, makes things even worse. It allows remote attackers to execute code directly through the Jobs API without any credentials. While Anyscale disputed the severity of the bug when it was disclosed, the company still promised to introduce authentication in a future release. That promise took on new urgency after researchers uncovered the original ShadowRay campaign, which had already infected hundreds of clusters.
Today, the situation has escalated. The Ray AI vulnerability is now being abused by multiple threat actors who are actively scanning for exposed systems. According to Oligo, this new wave of attacks, called ShadowRay 2.0, shows a level of automation and speed designed to take over computing power across thousands of nodes. The attackers are using Ray’s own orchestration features to move from one node to another, spreading through entire clusters with almost no resistance.
One of the most aggressive actors in this operation goes by the name IronErn440. This adversary is using legitimate Ray functions to schedule jobs, submit tasks, and propagate cryptomining processes with almost no manual work. Their code is designed to spread quietly, limit CPU consumption, and hide GPU usage to remain invisible to monitoring tools. By mimicking normal system behavior, their cryptojacking activity becomes harder to flag in environments that already produce heavy compute loads.
Oligo found that the attackers also disguise malicious processes as common Python or AI-related tasks. They deploy hidden miners, covert data exfiltration tools, and even malware downloaded from legitimate code-sharing platforms. Because the Ray AI vulnerability allows unauthenticated access, they can push whatever payloads they want and run them at scale. The longer a cluster stays exposed, the more control attackers can gain over the environment.
Evidence shows that this campaign has been active since September 2024. Over that time, the attackers built a multi-purpose botnet capable of distributed denial-of-service attacks, autonomous spreading, and data theft. They also made consistent changes to their code and delivery pipelines. In early November, they launched payloads from GitLab repositories. When those repositories were removed, they quickly recreated them, and later migrated everything to GitHub to avoid disruption. Each time, new malware versions appeared within hours.
Oligo says the GitLab version of the attack was especially advanced. The threat actors used separate platforms to automatically identify exposed Ray servers. Once a target was found, they submitted malicious jobs that ran reconnaissance scripts, tested available hardware, and executed multi-stage Python payloads. These payloads mapped out cluster resources, calculated the best way to distribute tasks, and then submitted a takeover job using Ray’s built-in scheduling capabilities.
Interestingly, many of these payloads showed signs of being AI-generated. Oligo highlighted that the structure, comments, and error-handling patterns looked exactly like code produced by today’s generative AI tools. This means attackers are now letting AI write malware that targets AI systems, a loop that makes attacks faster, cheaper, and more scalable than before.
The researchers also observed multiple reverse shells connecting back to cloud-hosted command-and-control servers, many of them running in AWS. The large number of shells suggests either a sophisticated failover setup or several different attackers fighting for the same Ray clusters. In some clusters, Oligo found evidence that attackers were terminating rival miners to claim full control of the GPUs and CPUs.
The Ray AI vulnerability is especially dangerous for environments running NVIDIA GPUs. These systems offer high compute power, which makes them valuable for cryptomining and high-throughput botnet activity. Attackers also added scripts to ensure their miners survive reboots and maintain persistence, giving them long-term access to compromised environments.
Some of the compromised clusters contained not only compute resources, but also sensitive assets like credentials, cloud tokens, and internal production databases. In several cases, attackers gained root-level access to MySQL databases used in live applications. Oligo also found proprietary AI models and datasets inside breached environments, raising the stakes for startups and research labs that rely on Ray to accelerate development.
One of the more alarming tools deployed during the attacks was Sockstress, a TCP state exhaustion tool. Its presence suggests the attackers were preparing Ray clusters for automated DDoS operations. Because compromised clusters could identify and infect more Ray environments, the campaign essentially created a self-propagating worm. Each infected cluster acted like a scanner, locating more exposed dashboards and launching the next round of attacks.
After moving their infrastructure to GitHub, the attackers continued compromising larger clusters, including those with thousands of nodes. They pushed updates, refined their miners, and expanded their malware toolkit. On one compromised server, Oligo discovered 240 gigabytes of AI models, source code, and internal datasheets, all left exposed because the Ray environment had no authentication.
When Oligo scanned the internet for Ray dashboards, they found more than 230,000 Ray servers accessible online. Many belonged to AI startups, research groups, and early-stage companies building model pipelines. While some teams deployed Ray for convenience and speed, they overlooked critical security hardening and left clusters wide open.
The Ray AI vulnerability has become a vivid reminder of how quickly modern attackers adapt. They use DevOps-style workflows, CI/CD pipelines, version control systems, and AI-generated code to update and optimize their operations in real time. Oligo described the attackers’ development cycle as “DevOps for cybercrime,” emphasizing how efficiently they tested techniques, pushed updates, rolled back failures, and reacted to defensive countermeasures.
Because the vulnerability has been known for two years, attackers have had ample time to build automated tools around it. And because Ray clusters are often deployed by fast-moving teams under pressure to ship AI workloads quickly, many of them remain exposed long after warnings were issued.
The scale of ShadowRay 2.0 shows how the combination of high-value compute power, easy remote access, and AI-assisted coding can create a perfect storm. Until authentication becomes a default part of Ray’s architecture or teams properly isolate their clusters, the Ray AI vulnerability will continue to fuel more attacks across AI infrastructure worldwide.
