China-linked AI software Villager, revealed on PyPI, automates cyberattacks and has bought specialists frightened after 10,000 downloads in simply two months.
A brand new penetration testing software referred to as Villager, launched on the Python Bundle Index (PyPI) by a former Chinese language capture-the-flag (CTF) competitor, is now catching curiosity from safety researchers. Whereas marketed as a pink teaming software, specialists warn that its automation capabilities and open availability might enable risk actors to make use of it maliciously.
Based on cybersecurity agency Straiker, which first noticed the software, Villager was revealed as a public Python bundle in late July 2025 by a person named stupidfish001, linked to the Chinese language group HSCSEC, and now related with an organization often known as Cyberspike. Within the two months since its launch, Villager has been downloaded greater than 10,000 occasions throughout Linux, macOS and Home windows environments.
Based on researchers from Straiker, the sample seems to be quite a bit like what occurred with Cobalt Strike, a respectable pink teaming resolution that was repurposed by cybercriminals and nation-state teams.
Generative AI Options
Nonetheless, Villager takes this a step additional by including generative AI to the method, permitting attackers to automate reconnaissance, vulnerability exploitation and follow-on duties by means of pure language instructions.
Straiker’s lengthy technical analysis particulars that Cyberspike, the group behind Villager, seems to function underneath the identify Changchun Anshanyuan Know-how Co., Ltd., registered in China as an AI improvement firm. However the lack of an official web site and the presence of distant administration options resembling recognized malware households like AsyncRAT increase questions in regards to the firm’s true intentions.
Cyberspike’s previous merchandise additionally increase pink flags. Evaluation of its earlier “Cyberspike Studio” software revealed it was a modified suite based mostly on AsyncRAT, that includes capabilities like distant desktop entry, keylogging, webcam hijacking and Discord token theft. Those self same parts now seem like a part of Villager’s backend, repackaged with a cleaner interface and AI orchestration.
Researchers additional added that Villager is an “AI-orchestrated” modular framework that integrates a number of parts, together with containerised Kali Linux environments, browser automation, code execution and a customized AI mannequin dubbed al-1s-20250421.
It permits customers to submit high-level goals equivalent to “scan and exploit instance.com” utilizing plain textual content, with the AI breaking that request down right into a collection of technical steps, carrying them out autonomously.
One other regarding function is its built-in forensic evasion. The framework routinely creates momentary containers, every configured to self-destruct inside 24 hours, leaving minimal traces. It additionally makes use of randomised SSH ports and job planning to keep away from detection and complicate evaluation.
DeepSeek Integration
Straiker’s analysis notes that Villager leverages DeepSeek fashions and LangChain integrations to help decision-making and exploit technology. A testing script included within the bundle connects to Cyberspike’s personal infrastructure, which seems to host these fashions behind an OpenAI-compatible API endpoint.
Logs present Villager is being actively downloaded at a gradual fee of over 200 occasions each three days. It’s designed to run in actual assault workflows, with Docker photos hosted on Cyberspike’s personal GitLab repository and MCP (Mannequin Context Protocol) shoppers coordinating operations by means of FastAPI endpoints.
Casey Ellis, founding father of Bugcrowd, notes that using AI by attackers is nothing new. Nonetheless, the arrival of a Chinese language-developed software like Villager places a sharper edge on the problem.
“Hackers, each useful and malicious, have been utilizing AI to enhance their effectiveness ever since generative AI turned typically out there,” Ellis stated. “The essential takeaway right here is that AI-assisted offence is right here, has been right here for fairly a while now, and is right here to remain. The provision of more and more highly effective capabilities to a far broader viewers is the true concern.”
