What happened
On June 12, 2026, the Sysdig Threat Research Team observed a threat actor using a publicly exposed, unauthenticated Ollama model server as the reasoning engine for an autonomous pentesting framework. The attacker integrated the model directly into a multi-stage vulnerability discovery and exploitation pipeline, marking an evolution of 'LLMjacking' from theft of paid inference APIs to weaponization of self-hosted AI infrastructure for autonomous offensive operations.
Why it matters
This represents a novel attack class: using exposed self-hosted AI models as the autonomous decision-making layer for multi-stage cyberattacks. Unlike traditional malware, the attack has reasoning capability baked in—the model makes tactical decisions about which vulnerabilities to prioritize, how to craft exploits, and when to execute. The threat actor captured the full framework architecture because it sends complete instructions on every request, revealing signatures like `VAPTb3gin` and `VAPTfin` that can be used for detection. This demonstrates the shift from AI infrastructure theft to AI-powered autonomous offensive operations.
Attack vector
Attacker discovers publicly exposed Ollama model server with no authentication; integrates unauthenticated model inference into an automated multi-stage offensive framework (VAPT); framework scans targets, matches them to known CVEs, synthesizes proof-of-concept exploits, and attempts compromise with the model making autonomous decisions at each stage; attacker controls the full offensive pipeline
Affected systems
Ollama model servers (all versions with default unauthenticated HTTP mode)
Mitigation
Block internet exposure of Ollama servers; add authentication through reverse proxies or network controls; require API keys for all model endpoints; monitor Ollama endpoints for offensive-tooling markers such as `VAPTb3gin`, `VAPTfin`, and command sequences like `echo VAPTb3gin; id; echo VAPTfin`