A new AI-powered penetration testing framework, dubbed Villager, has raised alarms in the cybersecurity community after racking up nearly 11,000 downloads on the Python Package Index (PyPI) since its late July 2025 release. The tool, reportedly developed by China-based company Cyberspike, is designed for automating red teaming workflows but could be repurposed for malicious use by threat actors, researchers warn.
Villager was uploaded by a user named stupidfish001, a former capture-the-flag (CTF) player from the Chinese HSCSEC team. According to researchers at Straiker, “The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns.”
The release of Villager follows growing concern over AI-assisted offensive security tools, with Check Point recently warning that threat actors are leveraging tools like HexStrike AI to speed up exploitation of vulnerabilities. AI-driven frameworks significantly lower the barrier to entry, allowing attackers to automate tasks that previously required skilled operators and weeks of manual effort. “Exploitation can be parallelized at scale, with agents scanning thousands of IPs simultaneously,” Check Point noted. “Decision-making becomes adaptive; failed exploit attempts can be automatically retried with variations until successful, increasing the overall exploitation yield.”
Villager integrates with Kali Linux, LangChain, and DeepSeek’s AI models, converting natural language commands into technical instructions. It also leverages a library of over 4,200 AI prompts to generate exploits and conduct penetration tests. Its use of ephemeral Kali Linux containers that self-destruct after 24 hours makes forensic detection and attribution more challenging.
Researchers also noted that Cyberspike has integrated components of AsyncRAT and plugins for tools like Mimikatz, enabling remote desktop control, keylogging, Discord account compromise, webcam hijacking, and other invasive capabilities. “Cyberspike integrated AsyncRAT into its red teaming product, with additional plugins to well-known hacktools like Mimikatz as well,” Straiker said, describing it as a turnkey solution for both legitimate and potentially malicious operations.
“Villager reduces skill and time required to run sophisticated offensive toolchains, enabling less-skilled actors to perform more advanced intrusions,” the researchers added. Its task-based AI architecture represents a shift toward objective-driven cyberattacks, potentially increasing both the speed and scale of intrusions and raising the burden on enterprise defense teams.
