What happened
On June 17, 2026, the Sysdig Threat Research Team published research documenting a June 12, 2026 intrusion where a threat actor wired a publicly exposed, unauthenticated Ollama model server (port 11434) into a fully automated multi-stage offensive pipeline: the AI model autonomously scanned targets, matched them to known vulnerabilities, wrote proof-of-concept exploits, and attempted compromise — making decisions at every step without human involvement. Sysdig captured the complete framework architecture from the attacker's system prompts. This is the latest evolution of LLMjacking, which Sysdig originally coined in 2024; approximately 175,000 publicly exposed Ollama instances are known to exist.
Why it matters
LLMjacking has evolved from credential theft for API resale to full agentic offensive tooling — exposed AI compute is now the brain of autonomous attack pipelines, not just a cost-theft target. This validates in-the-wild what researchers had theorized: a capable local model + internet-exposed server = free autonomous red-team capability for attackers. The 175,000 exposed Ollama instances represent a massive, largely unaddressed attack surface.
Applicability
Any organization running self-hosted AI inference servers (Ollama, vLLM, etc.) must audit for public exposure immediately — enforce authentication and restrict port 11434 (and equivalents) to private networks. Cloud security teams should add AI inference server exposure to their external attack surface scanning.