- Security researchers identified approximately 175,000 publicly accessible Ollama AI hosts across 130 countries, most with high-risk capabilities.
- Nearly half of these exposed systems support tool-calling, enabling them to execute code and interact with external systems without proper authentication.
- An active criminal operation, dubbed Operation Bizarre Bazaar, is already scanning for and selling access to these vulnerable AI endpoints.
A new joint investigation by SentinelOne SENTINELLABS and Censys has uncovered a massive, unmanaged global network of exposed Ollama AI infrastructure, creating a serious security blind spot for organizations. This sprawling network of 175,000 unique hosts operates outside standard platform guardrails, with the largest concentration located in China.
Consequently, the publicly accessible nature of these systems poses new security concerns requiring novel defensive approaches. Nearly 50% of observed hosts are configured with tool-calling capabilities, meaning they can execute code and access APIs. Researchers Gabriel Bernadett-Shapiro and Silas Cutler added that this “fundamentally alter[s] the threat model.”
Meanwhile, the risk of infrastructure abuse, termed LLMjacking, has moved from theory to practice. A separate report from Pillar Security this week details an active campaign dubbed Operation Bizarre Bazaar, where attackers scan for and sell access to these endpoints. This operation has been traced to a threat actor named Hecker.
The decentralized and often residential nature of this infrastructure complicates traditional governance and monitoring. Therefore, defenders must treat externally accessible LLMs with the same stringent controls as other critical infrastructure.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
