Attackers Exploit Exposed AI Endpoints for Offensive Operations

Attackers Exploit Exposed AI Endpoints for Offensive Operations

First seen 1 Jul 2026, 14:32 UTC Darkreadinglabs.zenity.io 84% similarity 70.2
Share:

Article Content

Browse articles
ThreatCluster

Between March and May 2026, Zenity researchers observed three distinct campaigns where attackers hijacked exposed AI endpoints from Ollama and LiteLLM for offensive operations. The attackers exploited inference endpoints without needing special authentication, simply configuring agents to use these endpoints as their model backends. Two autonomous penetration testing frameworks, Strix and HexStrike AI, along with an OpenAI Codex agent, were utilized in these operations. Notably, one operator sent a 140,000-character prompt to weaponize Strix against a French auction site. The lack of built-in authentication and common misconfigurations left these endpoints vulnerable. Zenity's honeypots captured the attacks, preventing further exploitation. The incidents highlight significant security risks associated with misconfigured AI services.

Key Points: • Attackers exploited exposed AI endpoints without needing authentication. • Three campaigns involved Strix, HexStrike AI, and an OpenAI Codex agent. • Misconfigurations in Ollama and LiteLLM contributed to the vulnerabilities.

ThreatCluster AI

Timeline

2026-03-20
Strix prompt sent to Ollama instance
An attacker used a LiteLLM client to send a 140,000-character prompt to weaponize Strix against a French auction site.
labs.zenity.io
2026-03-20
HexStrike AI targeted honeypot
An attacker pointed HexStrike AI at the honeypot's Ollama instance, sending over 150 offensive tools without a specified target.
Darkreading
2026-05-31
OpenAI Codex agent directed to conduct reverse-engineering
A third operator used an OpenAI Codex agent to perform web reverse-engineering work against the honeypot's LiteLLM proxy.
Darkreading

Community

Browse all →