Hackers Hijack Exposed Ollama AI Servers to Power Autonomous Hacking Pipeline
Sysdig researchers caught attackers using a misconfigured Ollama AI server as the brain for a fully automated hacking tool that scans, exploits, and extracts credentials without human intervention.
Attackers have found a new way to turn stolen AI compute into a weapon. Instead of simply reselling access to hijacked model servers, a threat actor has wired a misconfigured Ollama instance into a self-directed hacking pipeline that scans targets, matches vulnerabilities, builds exploits, and extracts credentials — all without human intervention. The attack, documented by Sysdig's Threat Research Team on June 12, 2026, marks a convergence of two previously separate trends: LLMjacking (the theft of AI compute resources) and AI-powered offensive tooling.
The scale of the exposure is staggering. Researchers have catalogued roughly 175,000 publicly accessible Ollama instances across more than 130 countries. Ollama listens on port 11434 with no authentication by default, meaning any internet-facing server becomes free AI compute for anyone who finds it. In this case, the attacker hijacked one such server and used it to power a framework Sysdig calls VAPT, based on embedded code markers.
VAPT drives the AI model through a tightly defined sequence of automated stages. Each stage has one specific job, and the model must return structured output that the surrounding software can consume automatically. The stages observed included identifying services on a target, matching those to known vulnerabilities, building proof-of-concept exploits, crafting blind SQL injection payloads to bypass input filters, and pulling credentials from looted files. A privilege escalation stage also pushes deeper into a system once initial access is gained. Credential extraction alone was run well over a hundred times across the campaign.
What makes this framework especially capable is its autonomous orchestrator — a controller that drives the entire chain until it achieves command execution on the target. To confirm a successful compromise, the tool runs a specific command and looks for unique code markers bracketing the output. Once those appear, the confirmed exploit is frozen into a reusable template for replaying with any follow-up command. Across the campaign, the tool requested at least seven AI models, including commercial names like GPT-4o-mini, Claude-3-5-Sonnet, and Gemini-2.0-Flash-Exp alongside open-source local builds. Their presence shows the tool was originally built for paid APIs and simply redirected at the stolen Ollama server as a free substitute.
Every target during the capture was on a private, non-routable network. The actor tested against fictitious apps named "MediaVault Asset Portal" and "Reverb Studio," and later against a range linked to HackTheBox lab environments. No real public hosts were targeted, suggesting the tool is still being refined before deployment against actual victims. However, the infrastructure is in place, and the technique is fully operational.
Security teams should never expose Ollama or similar model servers to the public internet, and authentication must be added at the proxy or network layer since none is built in. Teams should monitor inference endpoints for unusual request volumes and audit internet-facing assets for open model servers. Any exposed AI inference endpoint should be treated with the same urgency as an exposed database or admin panel. The convergence of AI compute theft and autonomous hacking represents a significant escalation in the threat landscape, one that defenders must prepare for now.