The recently discovered VoidLink cloud-focused Linux malware framework may be the work of a single developer created almost entirely by artificial intelligence, Check Point Research said in a new report.
Check Point published an analysis of VoidLink last week detailing the software as a sophisticated malware framework incorporating custom loaders, implants, rootkit-based evasion modules, and dozens of plugins. Initially assessed as the work of highly skilled Chinese-speaking developers, researchers now say there is “clear evidence” that the project was largely created with the help of AI assistant within just one week.
The conclusion stems from multiple operational security failures made by VoidLink’s creator, including an exposed open directory on the server. This leak revealed source code, internal documentation, sprint plans, and files generated by TRAE SOLO, an AI assistant embedded in the TRAE AI-centric development environment. According to Check Point, the files included early guidance given to the AI model.
Researchers say the developer relied on Spec-Driven Development, using AI to define goals, constraints, and a multi-team development plan before generating large portions of code. While the documentation outlined a 16–30 week effort, timestamps show VoidLink reached roughly 88,000 lines of code just days after development began. Check Point says it reproduced a similar workflow using an AI agent, leaving “little room for doubt” that VoidLink represents the first known example of advanced malware generated at scale by artificial intelligence.