Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining "unrealistic browser-malware concepts with a real browser capability" to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices.

"This is the first documented case where a frontier AI model independently bridged the gap between a theoretical browser-only ransomware risk and a practical, working attack chain – surfacing a novel attack path that defenders had previously dismissed as unfeasible due to browser sandboxing limits," Check Point said in a statement shared with The Hacker News.

"The expertise needed to discover a new attack path is no longer the bottleneck, and defenders need to account for that shift now — before threat actors operationalize it at scale."

The identified sample is a Python Flask application named "deepseek_python_20260125_da0631.py" that was uploaded to VirusTotal on January 25, 2026, with the Google-owned malware scanning service describing it as a "fully functional information stealer and ransomware toolkit." It has been named InfernoGrabber v9.0 by the malware author.