ShadowRay 2.0 and Ray exposure: what IAM teams need to know

TL;DR: ShadowRay 2.0 is an active global campaign that exploits Ray, the open-source AI framework, to seize exposed clusters, run cryptominers, hide persistence, and propagate malware through GitLab and GitHub updates, according to Oligo Security. The breach shows that AI workload exposure is now an identity and governance problem, not just a vulnerability issue, because self-managed compute still fails when isolation and runtime control are assumed rather than enforced.

NHIMG editorial — based on content published by Oligo Security: ShadowRay 2.0 and the global campaign hijacking AI clusters

By the numbers:

• Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly.

Questions worth separating out

Q: What breaks when Ray clusters are exposed to the internet without isolation?

A: When Ray clusters are internet-facing, unauthenticated job execution becomes a remote control path for attackers.

Q: Why do exposed AI workloads create NHI-style governance risk?

A: Exposed AI workloads behave like powerful non-human identities because they can execute actions, hold operational authority, and reach surrounding systems.

Q: How do security teams know if persistence has been established on a compromised AI node?

A: Look for process names that imitate system services, shell profile edits, cron-style polling, and startup hooks that survive reboots.

Practitioner guidance

• Constrain Ray to private trust boundaries Keep Ray dashboards, jobs APIs, and related control planes off the public internet, and verify that network segmentation blocks unauthenticated execution paths before production rollout.
• Watch for process masquerading and persistence hooks Alert on renamed system-like processes, shell profile changes, cron polling, and init-style startup artefacts on AI clusters because those are the signs of durable post-exploitation control.
• Inspect code-hosting and update channels used by workloads Review whether GitLab, GitHub, or similar repositories are being used as hidden delivery infrastructure for AI workloads, especially when change frequency is unusually high or region-aware.

What's in the full article

Oligo Security's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step attack progression across discovery, payload delivery, persistence, and monetisation phases.
• Indicator details for masqueraded processes, startup hooks, and repository-driven malware updates.
• Examples of the GitLab and GitHub delivery infrastructure used to evolve the campaign.
• The specific Ray exploitation path and the supporting artefacts observed in compromised clusters.

👉 Read Oligo Security's analysis of ShadowRay 2.0 and Ray cluster abuse →

ShadowRay 2.0 and Ray exposure: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →