New research from Zenity Labs found attackers exploiting critical LiteLLM vulnerabilities and hijacking AI infrastructure to conduct attacks against third parties and power their own operations. The findings offer visibility into how attackers are exploiting AI infrastructure, revealing tools, techniques and procedures (TTPs). The research is based on thousands of real-world attack attempts observed across a global network of AI threat intelligence sensors.

These findings provide rare insights into how attackers are actually using AI for offensive operations and offer a unique window into their TTPs.

Zenity Labs’ sensors recorded multiple instances of attackers abusing exposed LLM endpoints, attempting to attack third parties and power their own operations. In one incident, a threat actor deployed Strix, an autonomous AI pentesting tool, and attempted to direct it against a production e-commerce website. In another, the research uncovered attackers using exposed AI infrastructure as free compute resources, attempting to run their own operations, the AI equivalent of cryptomining. One group routed a multi-agent enterprise workflow through the exposed infrastructure. While another inadvertently exposed their full development environment, git history, and reconnaissance scripts through OpenAI’s Codex. Together, these findings provide rare insights into how attackers are actually using AI for offensive operations and offer a unique window into their TTPs.

Marketing Technology News: MarTech Interview with Theresa Pham, Head of Product @ Wayvia

Another key insight into attacker behavior is how fast they move. Zenity Labs’ sensors recorded hundreds of exploitation attempts targeting CVE-2026-40217, a critical remote code execution vulnerability on LiteLLM, taking place the same day the CVE was patched. LiteLLM is one of the most widely deployed AI gateways used to route traffic across large enterprise AI environments. Over the following six weeks, the sensors recorded hundreds of attack attempts ranging from reconnaissance to full sandbox escape payloads. Zenity also observed attacks targeting additional LiteLLM vulnerabilities, including a separate server-side request forgery (SSRF) vulnerability with attempted data exfiltration through a novel variant of CVE-2024-6587. The sensors also identified a highly coordinated campaign targeting CVE-2026-35029, a vulnerability in LiteLLM’s admin endpoint that has since been patched by BerriAI.

Methodology

The findings are based on data collected from Zenity Labs’ network of AI threat intelligence sensors, which provide direct visibility into how threat actors target and abuse AI infrastructure in the wild. The research captured thousands of attack attempts across AI environments, including exploitation attempts, reconnaissance activity and AI compute theft.

“We’ve laid out traps that look and behave like enterprise AI infrastructure and agents, to gain increased visibility into attacker behavior,” said Michael Bargury, co-founder and CTO of Zenity. “Attackers spotted our vulnerable AI, exploited n-day vulnerabilities and tried to leverage our AI resources to conduct real-world attacks, tipping their hands and revealing their TTPs. This is just the first drop, with more findings coming soon.”