2 Separate Campaigns Probe Corporate LLMs for Secrets

A Tale of 2 Cyber Campaigns Against AI Platforms

Two separate campaigns launched nearly 91,403 sessions targeting public LLM endpoints between October 2025 and January 2026, seeking to exploit vulnerabilities and map the growing AI infrastructure landscape. One campaign leveraged SSRF vulnerabilities, while the other systematically probed 73+ LLM model endpoints for misconfigurations.

The increasing adoption of public LLMs creates a larger attack surface, enabling malicious actors to identify and exploit vulnerabilities in organizations’ AI deployments, potentially leading to data breaches and intellectual property theft. The scale of these attacks – 80,469 sessions in 11 days from one campaign – demonstrates significant investment by attackers.

Key Insights

• 91,403 attack sessions: Total number of sessions observed targeting LLM endpoints. (GreyNoise, 2026)
• SSRF Exploitation: Attackers use Server-Side Request Forgery to force servers into making connections to malicious infrastructure.
• JA4 Fingerprinting: A network fingerprinting standard used to identify and block malicious tooling and automation.

Practical Applications

• Use Case: Security teams using GreyNoise data to block malicious IPs and domains associated with LLM probing.
• Pitfall: Exposing LLM endpoints without proper egress filtering can lead to SSRF exploitation and data leakage.

References:

• https://www.darkreading.com/endpoint-security/separate-campaigns-target-exposed-llm-services