Hackers Hijack Exposed AI Endpoints in "Bizarre Bazaar" Campaign, Recording 35,000+ Attack Sessions
Published · updated · curated by AI Is Going Just Great
Source: ctrlaltnod.com ↗
Attacks commence within hours of a misconfigured endpoint appearing in internet scans — before many organizations even know they're exposed.
Pillar Security researchers disclosed a cybercrime campaign dubbed "Bizarre Bazaar," documented over a 40-day honeypot observation period, in which attackers systematically targeted misconfigured LLM infrastructure. The operation logged over 35,000 attack sessions, with attackers focusing on unauthenticated Ollama endpoints (port 11434), OpenAI-compatible APIs (port 8000), and publicly accessible Model Context Protocol (MCP) servers — with exploitation beginning within hours of an endpoint appearing in internet reconnaissance scans like Shodan or Censys.
The attack vector isn't a software vulnerability but something more embarrassing: basic misconfiguration. Organizations left their AI inference endpoints open to the internet without authentication, and attackers obliged by running unauthorized — and expensive — inference operations on someone else's dime. MCP servers added insult to injury by potentially enabling lateral movement within compromised networks. No specific threat actor has been attributed, and total financial damage remains unconfirmed.