Check Point Research (CPR), the threat intelligence arm of cybersecurity solutions pioneer and global leader Check Point Software Technologies Ltd. (NASDAQ: CHKP), has discovered and published analysis of a malware sample generated by DeepSeek. This sample demonstrated how an AI model autonomously connected theoretical browser risks with a functional ransomware technique. The ransomware operates entirely within the browser, requiring no exploits, app installations, or technical expertise from the attacker. This marks the first instance of a frontier AI model autonomously linking a theoretically existing browser-specific ransomware risk with a practical, functional attack chain. This newly surfaced attack vector was previously considered impossible by defense experts due to the constraints of browser sandboxes. Expertise is no longer a bottleneck in discovering new attack vectors. In response to these changes, defenders must prepare before threat actors begin widespread exploitation. AI 'Considers' Instead of Human Attackers While analyzing approximately 3,000 files on public telemetry data believed to originate from DeepSeek, researchers found a Python Flask application. At first glance, it appeared to be a typical AI hallucination, attempting to cram features like keylogging, credential theft, webcam capture, and a ransomware demand overlay into a single webpage, most of which would be rejected by the browser. However, hidden within the noise was one accurately functioning element: a feature called showDirectoryPicker(). This is a legitimate browser API that allows a webpage to read, modify, and exfiltrate files from a user-selected folder. Even users without specialized knowledge can obtain a prototype by simply describing malicious intent in plain language, making actual platform features they didn't even know existed work for malicious purposes. From Hallucination to Fully Functional Proof of Concept (PoC) CPR built and validated a proof of concept (PoC) for thi