This seems to be a prevalent issue now: People vibe code security applications and the LLM generates real malware for testing.
The generated test files rely on real threat actor infrastructure to download or exfiltrate.
hxxps://github.com/DataDog/guarddog/blob/main/tests
