LLMs in Attacker Crosshairs, Warns Threat Intel Firm

Threat actors have been probing misconfigured proxy servers that could provide them with access to LLM APIs, threat intelligence firm GreyNoise reports.

Between October 2025 and January 2026, the company’s honeypots captured over 91,000 attack sessions, including assaults associated with two campaigns.

The first started in October and relied on ProjectDiscovery’s OAST (Out-of-band Application Security Testing) infrastructure to exploit server-side request forgery (SSRF) vulnerabilities.

The campaign spiked over Christmas and most of the attacks had the same signature, suggesting automated tooling.

Based on the observed VPS-based attack infrastructure, GreyNoise believes that the campaign was conducted by security researchers or bug hunters, but does not exclude the possibility of a grey-hat operation.

The second campaign started on December 28 and involved 80,469 attack sessions over an 11-day period. The attackers were probing more than 70 LLM model endpoints, looking for misconfigurations that could leak access to commercial APIs, GreyNoise explains.

The attacks performed reconnaissance against models from OpenAI (GPT-4o and variants), Anthropic (Claude Sonnet, Opus, Haiku), Meta (Llama 3.x), DeepSeek (DeepSeek-R1), Google (Gemini), Mistral, Alibaba (Qwen), and xAI (Grok).

“Test queries stayed deliberately innocuous with the likely goal to fingerprint which model actually responds without triggering security alerts,” GreyNoise notes.

The attacks originated from two IP addresses associated with the exploitation of more than 200 vulnerabilities, including CVE-2025-55182 (React2Shell) and CVE-2023-1389, a command injection bug in TP-Link Archer AX21 routers.

According to GreyNoise, the campaign is likely mounted by a threat actor conducting reconnaissance to build a target list in preparation for a larger exploitation operation.

This article was published by Security Week. Please check their website for the original content.