5 min read
Threat Actors GreyNoise honeypots captured 91,403 attack sessions targeting enterprise LLM endpoints across two distinct campaigns between October 2025 and January 2026. One campaign fingerprinted 73+ model endpoints across all major AI providers. The other exploited SSRF vulnerabilities in Ollama and Twilio integrations.