A new artificial intelligence (AI)-powered penetration testing tool linked to a China-based company has attracted nearly 11,000 downloads on the Python Package Index (PyPI) repository, raising concerns that it could be repurposed by cybercriminals for malicious purposes.
Dubbed Villager, the framework is assessed to be the work of Cyberspike, which has positioned the tools as a red teaming solution to automate testing workflows. The package was first uploaded to PyPI in late July 2025 by a user named stupidfish001, a former capture the flag (CTF) player for the Chinese HSCSEC team.
“The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns,” Straiker researchers Dan Regalado and Amanda Rousseau said in a report shared with The Hacker News.
The emergence of Villager comes shortly after Check Point revealed that threat actors are attempting to leverage another nascent AI-assisted offensive security tool called HexStrike AI to exploit recently disclosed security flaws.
With the advent of generative AI (aka GenAI) models, threat actors have capitalized on the technology for social engineering, technical, and information operations in ways that have likely contributed to increased speed, access to expertise, and scalability.
One key advantage to relying on such tools is that they lower the barrier to exploitation, and cut short the amount of time and effort required to pull off such attacks. What once required highly skilled operators and weeks of manual development can be automated using AI, offering bad actors assistance with crafting exploits, payload delivery, and even infrastructure setup.
“Exploitation can be parallelized at scale, with agents scanning thousands of IPs simultaneously,” Check Point noted recently. “Decision-making becomes adaptive; failed exploit attempts can be automatically retried with variations until successful, increasing the overall exploitation yield.”
The fact that Villager is available as an off-the-shelf Python package means it offers attackers an easy way to integrate the tool into their workflows, Straiker noted, describing it as a “concerning evolution in AI-driven attack tooling.”
Cyberspike first appeared in November 2023, when the domain “cyberspike[.]top” was registered under Changchun Anshanyuan Technology Co., Ltd., an AI company supposedly based in China. That said, the only source of information about what the company does comes from a Chinese talent services platform called Liepin, raising questions about who is behind it.
Snapshots of the domain captured on the Internet Archive reveal that the tool is marketed as a network attack simulation and post-penetration test tool to help organizations evaluate and strengthen their cybersecurity posture.
Once installed, Cyberspike has been found to incorporate plugins that are components of a remote access tool (RAT), enabling invasive victim surveillance and control using remote desktop access, Discord account compromise, keystroke logging, webcam hijacking, and other monitoring functions. Further analysis has uncovered similarities with a known RAT called AsyncRAT.
“Cyberspike integrated AsyncRAT into its red teaming product, with additional plugins to well-known hacktools like Mimikatz as well,” Straiker said. “These integrations demonstrate how Cyberspike repackaged established hacktools and offensive tools into a turnkey framework designed for penetration testing and probably malicious operations.”
Villager appears to be the latest offering from Cyberspike. Operating as a Model Context Protocol (MCP) client, it integrates with Kali Linux toolsets, LangChain, and DeepSeek’s AI models to automate testing workflows, handle browser-based interactions, and issue commands in natural language that can then be converted into their technical equivalents.
Besides leveraging a database of 4,201 AI system prompts to generate exploits and make real-time decisions in penetration testing, the AI-native penetration testing framework automatically creates isolated Kali Linux containers for network scanning, vulnerability assessment, and penetration testing, and destroys them after a period of 24 hours, effectively covering up traces of the activity.
“The ephemeral nature of these containers, combined with randomized SSH ports, makes AI-powered attack containers difficult to detect, complicating forensic analysis and threat attribution,” the researchers noted.
Command-and-control (C2) is accomplished by means of a FastAPI interface that processes incoming tasks, while the Python-based Pydantic AI agent platform is used to standardize outputs.
“Villager reduces skill and time required to run sophisticated offensive toolchains, enabling less-skilled actors to perform more advanced intrusions,” the researchers said. “Its task-based architecture, where AI dynamically orchestrates tools based on objectives rather than following rigid attack patterns, marks a fundamental shift in how cyber attacks are conducted.”
“Increased frequency and speed of automated reconnaissance, exploitation attempts, and follow-on activity could raise detection and response burdens across the enterprise.”
