GreyNoise says its Ollama honeypots recorded 91,403 attack sessions from October 2025 to January 2026, and within that noise it identified two distinct campaigns aimed at AI/LLM infrastructure. The first campaign focused on server-side request forgery (SSRF)—tricking a server into making outbound requests to attacker-controlled systems—by abusing Ollama’s model-pull mechanism (injecting malicious registry URLs) and, in related activity, Twilio SMS webhook MediaUrl parameters. The activity spiked sharply over Christmas (about 1,688 sessions in 48 hours) and used ProjectDiscovery OAST callback infrastructure to confirm whether SSRF worked. Based on consistent network fingerprints and the use of typical research tooling, GreyNoise assesses this stream as likely coming from security testing/bug-bounty style activity—though at a scale and timing that may cross into “grey-hat” behavior.

The second campaign is more concerning: starting December 28, 2025, two IPs generated 80,469 sessions in 11 days by systematically probing 73+ LLM model endpoints, likely trying to find misconfigured proxies that expose access to paid commercial model APIs. The probes tested both OpenAI-compatible and Gemini-style API formats across many model families, while using intentionally harmless prompts (e.g., “hi,” simple trivia questions) to fingerprint which backend responded without triggering alarms. GreyNoise links the source infrastructure to broad CVE-scanning/exploitation activity and concludes this looks like professional reconnaissance—building a target list for later abuse. The post recommends practical defenses like locking model pulls to trusted registries, applying egress filtering to reduce SSRF “phone-home” validation, alerting on rapid multi-endpoint probing patterns (including those “fingerprinting” prompts), and blocking known OAST callback domains/IPs and suspicious ASNs where appropriate.

Source: https://www.greynoise.io/blog/threat-actors-actively-targeting-llms