LLMjacking Evolved: Exposed Ollama Servers Weaponised as AI Reasoning Engine for Autonomous Offensive Framework

On June 12, 2026 Sysdig's Threat Research Team observed a threat actor abusing a publicly exposed, unauthenticated Ollama model server as the reasoning backend for a multi-stage offensive hacking framework self-identified as 'VAPT'. The actor wired unauthenticated model inference into a pipeline that performed service fingerprinting (CPE-mapped), vulnerability matching, web reconnaissance, blind time-based SQL injection payload synthesis with filter evasion, credential extraction, and privilege-escalation orchestration until remote code execution was confirmed. The framework sent full stage instructions on every model call (enabling Sysdig to capture the complete architecture), enforced machine-parseable JSON outputs, and used a detection marker sequence (echo VAPTb3gin; id; echo VAPTfin) to confirm compromise. Sysdig published the research on June 17, 2026. During the observation window probes targeted private lab ranges; the actor appeared to be tuning the framework.

Roughly 175,000 Ollama instances are publicly reachable across 130+ countries with no authentication, providing free AI compute for attackers. This incident marks an evolution from LLMjacking-as-API-theft to LLMjacking-as-autonomous-offensive-agent: the stolen model capacity is now the decision-making brain of a self-driving exploit chain. Any organisation running self-hosted Ollama or similar unauthenticated model servers (llama.cpp, LM Studio listening on 0.0.0.0) is directly in the blast radius — their compute can be seized and weaponised without any credentials being stolen.

Attacker discovers internet-exposed Ollama instance (port 11434, no authentication by default). Attacker sends structured prompt-engineering sequences to the model API, using the model as a reasoning engine for each stage of an autonomous penetration-testing pipeline (fingerprinting → CVE matching → exploit synthesis → SQL injection → credential extraction → RCE).

Ollama (all versions) with default configuration binding to 0.0.0.0:11434 with no authentication; also any self-hosted open-weight model server exposed to the internet without an auth proxy

Bind Ollama to localhost only (set OLLAMA_HOST=127.0.0.1). Block port 11434 at the firewall/security-group level. Place an authenticated reverse proxy (nginx + basic auth or mTLS) in front of any externally accessible model endpoint. Monitor for the IOCs: VAPTb3gin/VAPTfin marker strings, source IPs 122.183.48.82/35/195. See: https://www.sysdig.com/blog/llmjacking-evolved-attackers-are-using-stolen-ai-compute-to-build-offensive-agentic-tools