Pillar Security — Operation Bizarre Bazaar LLMjacking campaign
AI relevance: The campaign targets exposed LLM and MCP endpoints, turning AI inference infrastructure and agent tool bridges into monetized access and data‑exfil paths.
- Pillar Security reports Operation Bizarre Bazaar, a coordinated LLMjacking campaign observed between Dec 2025 and Jan 2026.
- Their honeypots captured 35,000 attack sessions against exposed AI infrastructure, averaging ~972 attempts per day.
- The operation is described as a three‑part supply chain: scanners find exposed endpoints, validators test access, and a marketplace resells stolen access.
- Targets include Ollama, vLLM, and OpenAI‑compatible APIs as well as publicly reachable MCP servers.
- Once access is gained, attackers can steal compute, resell API usage, and probe model access across multiple providers.
- The report highlights data exposure risk because LLM context windows can contain source code, customer data, or internal docs.
- Pillar observed a separate MCP‑focused reconnaissance campaign aimed at lateral movement via AI tool integrations.
- Mitigations emphasize authentication, network segmentation, and rate limiting for all AI endpoints.
Why it matters
- LLMjacking is no longer ad‑hoc abuse; it’s organized, monetized, and automated against AI ops.
- Exposed MCP servers bridge into internal systems, so AI endpoints can become entry points for broader compromise.
What to do
- Inventory all AI endpoints (prod + dev) and require authentication everywhere.
- Lock down MCP servers behind private networks and strict allowlists.
- Add rate limits and anomaly detection for multi‑provider enumeration patterns.
- Block known malicious infrastructure and monitor for scanner activity on common AI ports.