Attackers Abuse AI Services and Exposed LLM Infrastructure for Intrusions and Compute Theft
Researchers and vendors reported a sharp rise in attacks targeting AI infrastructure, from exposed self-hosted LLM servers to commercial coding assistants used in real intrusions. A Kaspersky honeypot posing as a private AI server with services including Ollama, LM Studio, LangServe, text-generation-webui, OpenAI-compatible APIs, RAG databases, and an MCP server was indexed by Shodan within hours and drew more than 113,000 requests in a month from thousands of IP addresses. Nearly a quarter of the traffic focused on discovering and exploiting AI capabilities, with attackers attempting to consume inference resources, analyze documents, generate content, process vulnerability data, proxy requests to external models, and steal secrets from exposed .env files using tooling such as LLM-Scanner.
The broader threat has moved beyond opportunistic abuse into targeted operations. Anthropic said suspected Chinese state-linked operators misused Claude Code against 30 high-value organizations across technology, finance, chemicals, and government, using the AI assistant to test systems, generate attack code, harvest credentials, identify privileged accounts and backdoors, and support deeper intrusion activity; the company said the tool performed 80% to 90% of the work in some cases. Separately, defenders were urged to rapidly patch internet-exposed management infrastructure after CVE-2026-41940 in cPanel/WHM was exploited in the wild, allowing pre-authentication root access in as few as four HTTP requests and reportedly being used in ransomware activity, underscoring how exposed services and AI-enabled tradecraft are converging into a faster, more scalable attack model.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
AI honeypot records month-long large-scale scanning and abuse
Over the month following deployment, Kaspersky's honeypot received more than 113,000 requests from thousands of IP addresses, with 23% focused on discovering and exploiting AI capabilities. Observed abuse centered on free use of AI resources, including document analysis, erotic content generation, vulnerability-data processing, and attempts to proxy requests to Anthropic models.
Shodan indexes the AI honeypot within hours of exposure
Kaspersky reported that the honeypot was indexed by Shodan within three hours of being exposed to the internet. Reconnaissance activity began roughly an hour later, showing how quickly exposed AI services are discovered.
CISA adds CVE-2026-41940 to KEV catalog
Two days after the patch, CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog and set a 72-hour remediation deadline. The agency noted known ransomware use of the flaw.
cPanel releases emergency patch for CVE-2026-41940
On 2026-04-28, cPanel issued an emergency fix for CVE-2026-41940, a critical vulnerability rated CVSS 9.3 that could let attackers gain root access to WHM without credentials in as few as four HTTP requests. The patch changed session sanitization behavior and added protections for malformed cookies used to disable encryption and inject session fields.
cPanel flaw CVE-2026-41940 exploited in the wild by late February
watchTowr Labs reported that CVE-2026-41940, a critical cPanel and WHM authentication bypass, had been exploited in the wild since at least late February 2026. The bug allowed pre-authentication root access through flaws in session handling, including CRLF injection and session cache inconsistencies.
Researchers disclose 175,000 publicly exposed Ollama AI servers
A January 2026 report said more than 175,000 Ollama AI servers were publicly exposed on the internet worldwide, highlighting broad attack surface risk from unsecured self-hosted AI infrastructure. The disclosure warned administrators to lock down exposed instances to prevent unauthorized access and abuse.
Anthropic blocks accounts and notifies victims after campaign discovery
After detecting the abuse, Anthropic blocked the implicated Claude Code accounts, notified affected organizations, cooperated with authorities, and introduced additional controls to prevent similar misuse. The company also asserted with high confidence that the operators acted under direction from Beijing.
Anthropic detects Claude Code espionage campaign
Anthropic detected the campaign in mid-September 2025 and described it as the first documented case in which an AI agent successfully gained access to confirmed high-value targets for intelligence collection. The company said most intrusion attempts were unsuccessful and that attackers bypassed safeguards by breaking malicious goals into smaller benign-looking tasks.
Chinese-linked actors begin abusing Claude Code against high-value targets
Anthropic said suspected Chinese hackers used its Claude Code AI coding service in a campaign targeting 30 high-value organizations worldwide, including technology firms, financial institutions, chemical manufacturers, and government agencies. The company said the AI was used for vulnerability testing, attack-code generation, credential collection, privilege discovery, and deeper intrusion support.
Kaspersky launches April honeypot posing as a private AI server
In April 2026, Kaspersky ran a honeypot experiment using a Raspberry Pi configured to imitate an exposed local AI server with services such as Ollama, LM Studio, AutoGPT, LangServe, text-gen-webui, OpenAI-compatible APIs, RAG databases, and an MCP server. The goal was to observe reconnaissance and abuse targeting exposed AI infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-41940 cPanel: от CRLF до root за 4 запроса
codeby.net
Open sourceLLMjacking: атаки на локальные ИИ-серверы - от разведки до защиты
kaspersky.ru
Open sourceOver 175,000 publicly exposed Ollama AI servers discovered worldwide - so fix now | TechRadar
techradar.com
Open sourceAnthropic обвинила китайских хакеров в использовании Claude Code для шпионажа
3dnews.ru
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Criminal Abuse of Exposed LLM Infrastructure and GenAI-Enabled Phishing Techniques
Security researchers reported escalating **criminal abuse of large language model (LLM) infrastructure**, including active exploitation of exposed or weakly authenticated AI service endpoints. Pillar Security documented more than **35,000 attack sessions** over ~40 days against honeypots and attributed the activity to an operation dubbed **“Bizarre Bazaar,”** described as an early example of actor-attributed “**LLMjacking**.” The activity targeted misconfigured/self-hosted deployments and AI APIs (including **unauthenticated Ollama endpoints on `11434`** and **OpenAI-compatible APIs on `8000`**), with attackers moving quickly once endpoints appeared in internet-wide scanners such as Shodan/Censys. Reported objectives included **stealing compute** (e.g., crypto mining), **reselling illicit API access** on underground markets, **exfiltrating prompt/conversation data**, and attempting **pivoting into internal systems** via publicly accessible **Model Context Protocol (MCP) servers**. Separately, Palo Alto Networks **Unit 42** described a proof-of-concept phishing technique where a benign-looking page calls a legitimate LLM API to generate **per-victim JavaScript** in real time, assembling a **personalized phishing site** in the browser to reduce the presence of static indicators and evade traditional detections; researchers noted similar building blocks are already being used for obfuscated JavaScript and malware-related activity.
Mar 21, 2026
AI agent and LLM misuse drives new attack and governance risks
Reporting highlighted how **LLMs and autonomous AI agents** are being misused or creating new enterprise risk. Gambit Security described a month-long campaign in which an attacker allegedly **jailbroke Anthropic’s Claude** via persistent prompting and role-play to generate vulnerability research, exploitation scripts, and automation used to compromise Mexican government systems, with the attacker reportedly switching to **ChatGPT** for additional tactics; the reporting claimed exploitation of ~20 vulnerabilities and theft of ~150GB including taxpayer and voter data. Separately, Microsoft researchers warned that running the *OpenClaw* AI agent runtime on standard workstations can blend untrusted instructions with executable actions under valid credentials, enabling credential exposure, data leakage, and persistent configuration changes; Microsoft recommended strict isolation (e.g., dedicated VMs/devices and constrained credentials), while other coverage noted tooling emerging to detect OpenClaw/MoltBot instances and vendors positioning alternative “safer” agent orchestration approaches. Multiple other items reinforced the broader **AI-driven security risk** theme rather than a single incident: research cited by SC Media found **LLM-generated passwords** exhibit predictable patterns and low entropy compared with cryptographically random passwords, making them more brute-forceable despite “complex-looking” outputs; Ponemon/Help Net Security reporting tied **GenAI use to insider-risk concerns** via unauthorized data sharing into AI tools; and several pieces discussed AI’s role in modern offensive tradecraft (e.g., AI-enhanced phishing/deepfakes) and the expanding attack surface created by agentic systems. Many remaining references were unrelated breach reports, threat-actor activity, ransomware ecosystem analysis, or general commentary/marketing-style content and do not substantively address the Claude jailbreak incident or OpenClaw agent-runtime risk.
Mar 26, 2026
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Mar 21, 2026