Skip to content
AI Security Wire

Published

- 4 min read

By

LLMjacking Evolves: Attackers Use Exposed Ollama as AI Hacking Engine

img of LLMjacking Evolves: Attackers Use Exposed Ollama as AI Hacking Engine

Researchers at Sysdig’s Threat Research Team have documented a new chapter in the LLMjacking playbook. Rather than simply stealing AI compute to generate content or run credentials up a cloud bill, threat actors are now wiring that stolen compute into automated attack frameworks, turning misconfigured AI model servers into the brains of multi-stage offensive operations.

The campaign, which Sysdig observed in mid-June 2026, centres on a toolkit the team is calling VAPT (after telltale strings embedded in the tool’s output). The attacker finds an internet-exposed Ollama instance, plugs it into a software pipeline, and lets the model do the thinking: scanning targets, matching services to known CVEs, writing proof-of-concept exploits, and attempting to break in, with minimal human direction at each step.

How VAPT Works

The VAPT pipeline runs in stages that map closely to a conventional penetration test workflow, hence the name. It starts with service fingerprinting: the tool scans a target network range, identifies listening ports and service banners, and passes that information to the LLM. The model then reasons about which known vulnerabilities are likely applicable and instructs downstream modules to attempt them.

What makes this distinct from basic scripted scanning is the adaptive decision-making in the middle layer. If an initial exploit attempt fails, the model re-evaluates and tries a variant. The pipeline includes modules for SQL injection crafting, credential extraction from environment variables and configuration files, web reconnaissance, and privilege escalation, all directed by the embedded LLM rather than hard-coded logic.

Sysdig’s team found the confirmation routine particularly revealing. Before each probe, the tool echoes the string VAPTb3gin. After completion, VAPTfin. These markers were almost certainly left in by the developer for debugging but serve as useful detection signatures for defenders.

Ollama: The Unprotected AI Brain

The technical precondition for this attack is straightforward. Ollama, the widely used open-source tool for running AI models on local hardware, listens by default on port 11434 with no authentication required. Pull up any instance reachable from the internet and you can send it inference requests, no credentials needed.

Independent researchers catalogued roughly 175,000 publicly exposed Ollama instances across more than 130 countries earlier this year. For a threat actor building VAPT, these represent effectively free, anonymous AI inference capacity. There is no API key to burn, no rate limit linked to an identity, and no billing trail. The victim’s own GPU pays for the attack.

Sysdig also observed the VAPT operator using exposed LiteLLM proxy endpoints in the same fashion. LiteLLM is commonly deployed as an internal gateway to multiple LLM providers, and misconfigured instances face the same unauthenticated exposure risk.

The Shift in LLMjacking Objectives

This represents something qualitatively different from the LLMjacking campaigns documented in 2024 and 2025. Those operations were essentially compute theft: attackers grabbed cloud AI credentials and used them to run their own inference workloads at the victim’s expense. Financially motivated, but fundamentally passive in terms of the AI’s role.

What Sysdig is describing in June 2026 is AI-as-attacker. The stolen compute is not the product; it is the operator. The model is making targeting decisions, writing offensive code, and adapting when things go wrong. The human attacker’s role shrinks to pointing the pipeline at a target and reading the results.

That shift has real implications for the skill ceiling of offensive operations. Running a sophisticated multi-stage attack against a hardened network has historically required expertise in service enumeration, exploit development, and post-exploitation tradecraft. VAPT-style frameworks outsource that expertise to a language model and open the capability to a much wider pool of operators.

What Defenders Should Do

The most direct mitigation is eliminating the precondition. Ollama and LiteLLM instances should never be internet-facing without authentication. Both tools support environment variable configuration to bind only to localhost or to require bearer token authentication. Any deployment exposed on a cloud virtual machine or container host should be audited immediately.

Beyond that, the VAPTb3gin and VAPTfin strings are reliable detection signatures for this specific campaign. Network defenders and SIEM teams should add them to log monitoring rules. Broader monitoring for unexpected LLM inference traffic from internal servers, particularly outbound connections from hosts running Ollama on port 11434, can also surface compromised instances being used as unwilling AI infrastructure.

Sysdig’s full research note is available at their blog.

References

Frequently Asked Questions

What is LLMjacking evolved, and how is it different from earlier versions?
Earlier LLMjacking involved stealing cloud AI credentials to run up inference costs for the attacker's own use, typically for content generation. The evolved version documented by Sysdig goes further: attackers use exposed or hijacked AI compute as the decision-making brain for automated multi-stage cyberattacks, not just for outputs. The AI model scans targets, selects vulnerabilities, writes exploits, and drives the attack chain autonomously.
Why are Ollama servers so commonly exposed and exploited?
Ollama is designed for running AI models locally and listens on port 11434 with no authentication by default. Many developers spin up instances for testing or internal use without firewalling the port. Researchers have found roughly 175,000 publicly reachable Ollama instances across more than 130 countries, giving attackers essentially free, anonymous AI compute.
How can security teams detect the VAPT framework in their environment?
The VAPT framework's compromise-confirmation routines echo the strings VAPTb3gin before a probe and VAPTfin after completion. Monitoring network traffic or command output logs for these strings is a practical indicator of compromise. Defenders should also monitor for unexpected outbound connections from any internal Ollama or LiteLLM endpoints to external scanning infrastructure.