Artificial Intelligence (AI) is changing many industries, and cybersecurity is no exception. A recent example is a GitHub repository called Exploitarium, created by an anonymous security researcher using the nickname Bikini. The repository contains proof-of-concept (PoC) exploits and descriptions of security vulnerabilities found in popular software used by millions of people around the world.
What makes this story interesting is not just the use of AI, but also the way these vulnerabilities are being shared.
According to the researcher, AI models such as GPT-5.3 were used as part of an automated testing process to help identify security bugs. The researcher explains that AI was only one part of the workflow. Human expertise was still required to verify the results, write the exploit code, and confirm that the vulnerabilities were real. This highlights an important point: AI can speed up security research, but it cannot replace skilled cybersecurity professionals.
The Exploitarium repository currently includes vulnerabilities affecting well-known software such as 7-Zip, curl, Docker, Firefox, OpenVPN, PHP, VLC, Gitea, RustDesk, and many others. Some of these findings have already received official CVE (Common Vulnerabilities and Exposures) numbers, which means they have been recognized as legitimate security issues.

However, the biggest controversy is that the researcher published the vulnerabilities and exploit code without informing the software developers first. Normally, security researchers follow a process called responsible disclosure, where they privately report a vulnerability to the vendor and allow time for a fix before making the information public. This reduces the chance of attackers exploiting the weakness before users can install security updates.
In this case, the researcher openly invited others to report the vulnerabilities to the affected vendors and even receive the public recognition for doing so. This unusual approach has raised concerns within the cybersecurity community.
There is also some debate about whether all the vulnerabilities in Exploitarium are new discoveries. For example, one serious vulnerability affecting the libssh2 library had already been identified and documented by another researcher before it appeared in the repository. This suggests that not every published exploit represents a brand-new finding.
Another important point is that publishing a proof-of-concept exploit does not automatically mean attackers can immediately compromise systems. A PoC simply demonstrates that a vulnerability exists. In many cases, additional work is needed to convert it into a practical attack against real-world targets. Nevertheless, making exploit code publicly available lowers the barrier for cybercriminals and increases the urgency for organizations to apply security patches.
Security researchers have also reported that two of the published vulnerabilities – one affecting libssh2 and another impacting Gitea’s CI/CD runner – may already be under active exploitation. While these reports are still limited, they remind organizations that delaying software updates can significantly increase risk.
This incident also demonstrates how AI is changing cybersecurity. AI enables researchers to analyze large amounts of code much faster than before, helping discover vulnerabilities that might otherwise remain hidden for years. At the same time, cybercriminals can use similar AI-powered techniques to identify weaknesses more quickly. As a result, the race between defenders and attackers is becoming faster than ever.
For businesses and individual users, the lesson is straightforward. Keep software updated, apply security patches promptly, monitor trusted security advisories, and avoid assuming that widely used software is automatically secure. AI is making vulnerability discovery faster, but strong security practices remain the best defense.
The future of cybersecurity will not be driven by AI alone. It will depend on the combination of advanced technology, skilled professionals, responsible disclosure practices, and timely patch management. Organizations that strengthen these areas will be better prepared for the evolving threat landscape.

Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.









