Open-source intelligence and security research focused on the exposed control plane of modern AI/ML infrastructure.
Over 28 cloud /16 ranges (DigitalOcean + Hetzner + Vultr, ~1.83M IPs), surveyed 15 distinct AI/ML platform classes with ~5,000 confirmed unique deployments. Tier-2 expansion 2026-05-04 (ollama-tier2-cloud-survey-2026-05.md) reproduced the auth-off-default thesis across Scaleway, OVH, and Linode (76 additional /16s, 3.55M IPs, 1,019 more unauth Ollama instances, operator-culture-independent).
- Jetson / TensorRT edge population survey (2026-05-18): 10,224 candidates harvested across 9 platform classes. 296 verified-unauth: Frigate NVR (205, 15 leak RTSP camera credentials in plaintext), CodeProject.AI (39), DeepStack (24), motionEye (18), Docker Registries (5 incl. NVIDIA Isaac robotics pipeline). Two deception fleets identified (598 hosts; documented as Insight #32).
- Code-assistants population survey (2026-05-18): 61 OpenHands POST-confirmed unauth (16 with sandbox
STATUS$READY); 127 of 192 original Stage-2 hits were data-layer FPs (drove Insight #31, app-builder brand-in-output). Cross-survey 4-day re-verify: 83.3% operator persistence without external pressure (Insight #30). - Registry-population survey (2026-05-19): 12,297 unauth Docker Registry candidates harvested. Population pass yield 0.035% high-confidence attribution across Jetson / Healthcare / Finance classifiers (vs 33% on a 9-host curated cohort). Established Insight #35: side-channel attribution has high precision and low recall; it is for targeted investigation, not population discovery.
- Tegrity / MHCampus (2026-05-18): McGraw-Hill Education student self-registration service offline; ASP.NET YSOD discloses AWS SDK class names + build paths byte-identically across 3 ELB members. Disclosure pending at hackerone.com/mcgrawhill.
aimap v1.9.12 → v1.9.16 ships three side-channel operator-class classifiers that fingerprint operators by their Docker Registry /v2/_catalog content:
- Jetson / NVIDIA edge (v1.9.12):
dustynv/,l4t-*,jetson/*,tegra-,jetpack+ Isaac stack signals - Healthcare (PACS / DICOM) (v1.9.13, internationalised v1.9.15):
dcm4chee,orthanc,ohif,weasis,/pacs,/dicom+ 7-language coverage (Russianzdrav/krayzdrav, Germanklinik/krankenhaus, Spanishsalud/clinica, Frenchsante/clinique, Italiansanita/ospedale, Mandarinyiyuan, Japanesebyouin) - Finance / algotrading (v1.9.13):
freqtrade,quantlib,vectorbt,alpaca,ibapi,ib-gateway,oanda,mt4/mt5,metatrader,nautilus_trader
Documented as Insight #33 with the high-precision / low-recall caveat at Insight #35.
- Vector DB tier (Qdrant + ChromaDB + Milvus), 142 instances, 100% unauthenticated
- Inference tier (Triton + vLLM + Ollama), 388 instances, 100% unauthenticated
- MLOps (MLflow Tracking), 11 instances, 100% unauthenticated, and 18% actively being exploited via CVE-2023-1177, with attacker-injected experiments doubling overnight between probes
- Data app (Streamlit), 551 instances, 100% unauthenticated (no built-in auth)
- Object storage (MinIO), 852 instances, 0% anonymous-list (auth-on-default works)
- Orchestration UI tier (Flowise / n8n / Open WebUI / Langflow), 1,170 instances, 0% unauthenticated
The single sharpest finding in the survey: the same operator population leaks Qdrant/Milvus/MLflow at 100% while protecting MinIO and Dify at ~0%. Not different operators, same operators on different platforms. Upstream defaults are the load-bearing variable, not operator awareness.
Notable per-instance findings worth pulling up in the case-study list:
- tweet-optimize.com, 1.21M facial embeddings (
onlyfans+psoscollections) on unauth Milvus; functional doxing primitive against creators. Disclosed 2026-05-03 to OnlyFans/Hetzner/Finnish DPA/operator. Still live ~9h post-disclosure. - Triton chat-platform safety pipeline, child-safety minor-detection classifier with 127.4 million lifetime inferences logged, exposed for adversarial probing
- MLflow CVE pair, two instances actively exploited by external attacker spraying CVE-2023-1177 path-traversal payloads at
/etc/and/root/.ssh/; attack progressing between probes - sanctionscanner.com, 79M KYB records + 6.2M sanctions list entries unauth Elasticsearch; active ransomware compromise predates discovery
- MCP cross-cloud survey, 95 confirmed Model Context Protocol servers across Scaleway / OVH / Linode (~2.18M IPs), 28 with non-empty
tools/list. Headline: a fully-exposed Gmail mailbox MCP (19-tool send/read/delete CRUD on operator's own Gmail), Alcy CRM MCP (22-tool French facility-management CRUD),rmcpElasticsearch MCP proxy, hindsight-mcp v3.1.1 personal-AI-memory CRUD (29 tools incl.clear_memories), 3× Casdoor IAM-CRUD across providers (recurring template-auth-off pattern), Brazilian legal RAG with state-audit data. Protocol-strict JSON-RPC handshake gate filtered AS63949 honeypot pollution to 1.1% (vs 91.6% on the prior Milvus survey). - LLM Gateways cross-cloud survey, 1,899 confirmed unauth gateways across the same tier-2 cloud space, of which 1,857 (97.8%) returned functional inference to a single-token unauthenticated
/v1/chat/completionsPoC, operator provider-key quota actively billed. Provider tags include 1,835 OpenAI / 2 Anthropic-functional / Google / OpenRouter / Mistral / DeepSeek / MiniMax / xAI / Moonshot. 1,829 of 1,857 (98.5%) returned the identical canned response fromgpt-4o-mini, single open-source reseller-proxy template mass-deployed auth-off across operators, single root-cause auth failure propagating to the entire population. Aggregate $0.011 of operator quota consumed by the disclosure-PoC across all 1,857 hosts; no key strings extracted. Extends the vLLM survey's 10-reseller-proxy finding by ~180× at the gateway-product tier. - RAG framework survey, 169 confirmed cross-cloud RAG framework hosts; auth-off-default thesis breaks here (~100% auth-on at content endpoints), but 51% leak
/openapi.jsonpublicly, full FastAPI route maps + Pydantic schemas + securitySchemes exposed. The "PrivateGPT" classification was over-eager: ~98% of those hits are custom FastAPI RAG apps (Hibrit RAG API v1,AI News Publisher API,CamV3 Prediction Service,Nexus Skill Graph API,Docling Ingest API), operators leak product names + API designs publicly, even when their data is locked. - Browser-agent survey, 153 confirmed unauth browser-automation backends (83 Selenium Grid / 36 raw Chromium CDP / 34 Browserless). 100% unauth at the platform endpoint. 36 raw-Chromium CDP hosts = browser-RCE-equivalent via WebSocket WSCP control. Single Browserless template fleet at HeadlessChrome 121.0.6167.85 mirrors the LLM-Gateway 1,829-host canned-response pattern; 5+ hosts on pre-2023 Chromium versions = chained stale-CVE attack surface on top of the unauth issue.
- Datalabel survey, 348 confirmed cross-cloud, all doccano (single-platform sweep). ~99% auth-on at
/v1/projects, auth-off-default thesis breaks at this tier too. Zero Argilla / LabelStudio / Prodigy / CVAT confirmed in 1,017 prefixes, operator hygiene at population scale OR different-tier deployment profile. - AI safety eval survey, 0 confirmed (corrected 2026-05-05). Initial survey reported 6; all were substring-match false positives (e.g.
b"garak"matched on a Japanese anime filenameGarakuta no Kamisamain a personal video library). Re-probed with tightened aimap fingerprints (status_code + json_field + anchored keyword, conjunctive): 0/6 confirm. The methodology-correction lesson is the load-bearing finding, captured as Methodology Insight #6 inSYNTHESIS-2026-05.md. - Compute orchestration / training survey, 118 unauthenticated exposures across Apache Spark (85), Apache Airflow (29), Ray Dashboard (4), from 203 Shodan-seeded candidates. Highlights: 8 Airflow
/home-bypass criticals (anonymous public role enabled,/loginstill serves the login template, but/homereturns the authenticated DAG dashboard) on GCP/AWS/DO/Timeweb customer hosts; 4 Ray Dashboard hosts with CVE-2023-48022 ShadowRay surface (unauth job-submission RCE actively exploited since 2023); 71% population exposure on Spark Master / Worker / Application UIs (cluster topology + driver Environment-tab credential leak surface). Spark + Ray reproduce Tier-A "no auth concept"; Airflow's/homeroute surfaces a new methodology lesson, entry-point-only fingerprints miss auth-bypass-via-misconfiguration findings whose entry-point looks login-gated (Methodology Insight #8).
Cross-tier auth-posture is now empirically clear: infrastructure-for-engineers tier (vector DBs, inference servers, gateways, MCP, browser-agent) reproduces 97-100% unauth at population scale; applications-for-end-users tier (RAG framework, doccano labeling) reproduces ~99% auth-on. Same operators, different defaults; the framework default is the deployment.
The AI/ML stack moved faster than its security model. Vector databases ship without auth by default. LLM gateways log every prompt to disk. Inference servers expose /v1/models to the internet. Fine-tuning dashboards proxy GPU compute to anyone who finds the URL. MCP servers wire shell, filesystem, and database tools to LLMs over unauthenticated HTTP.
This repository is a living catalogue of fingerprints, queries, exposure patterns, and detection logic for the infrastructure that runs modern AI, built so that defenders can find their own assets before adversaries do.
The catalogue groups infrastructure by exposure-class. The 20 original categories below cover the platforms surveyed through 2026-05; the 14 expansion buckets at the end are the unsurveyed-or-partial gaps we are filling next.
| Category | Examples |
|---|---|
| LLM Orchestration | Flowise, Langflow, Dify, Open WebUI, LiteLLM, Ollama, n8n, SillyTavern, Clawdbot |
| Vector Databases | ChromaDB, Qdrant, Weaviate, Milvus, pgvector, Redis Search, ClickHouse, Cassandra |
| Object Storage & Artifact Stores | MinIO, Harbor, Docker Registry v2, where the models and vectors actually live |
| Model Serving | vLLM, Triton, TGI, llama.cpp, LM Studio, GPT4All, NVIDIA NIM, text-generation-webui, Kobold.cpp, SGLang |
| Embedding Services | HuggingFace TEI, infinity-embedding, SentenceTransformers server, documents → vectors over unauthenticated HTTP |
| Training & Experiments | MLflow, Kubeflow, Ray, ClearML, Argilla, Label Studio, Feast |
| Data Pipeline Orchestration | Apache Airflow, Prefect, Dagster, Argo Workflows, Temporal, Cadence, Conductor (Netflix/Orkes), Flyte, Mage.ai (:6789), ZenML (:8237), Kestra (:8080), DolphinScheduler (:12345), Windmill; unauth Airflow = code execution via DAG trigger, secrets in Variables API; Temporal/Cadence history-store exposure class = complete workflow execution history including all arguments and return values |
| AI Gateways & Observability | LiteLLM Proxy, Portkey, Langfuse, Helicone, Phoenix/Arize |
| Agent Frameworks | SuperAGI, OpenDevin, MetaGPT, AutoGen, Clawdbot |
| RAG Stacks & Self-Hosted AI Apps | h2oGPT, Danswer/Onyx, Quivr, Khoj, RAGFlow, LibreChat |
| Image Generation | ComfyUI, Stable Diffusion, AUTOMATIC1111, InvokeAI, Fooocus |
| Speech & Audio AI | Whisper.cpp server, Coqui TTS, AllTalk TTS, LocalAI audio, OpenAI-compat /v1/audio/transcriptions |
| Notebook & Dev Environments | JupyterHub, VS Code Server (code-server), Jupyter AI, multi-user institutional deployments, full RCE class |
| AI Code Assistants | Tabby, Refact, self-hosted Sourcegraph Cody, server-based, expose codebase indexes and completion history |
| Search & Data Infrastructure | Elasticsearch, OpenSearch (with ELSER/kNN ML plugins), Typesense, Meilisearch, the corpus layer AI apps query |
| MCP Servers | Model Context Protocol exposed over HTTP/SSE, wires shell, filesystem, and database tools to LLMs |
| Credential & Config Leaks | OPENAI_API_KEY / ANTHROPIC_API_KEY / GROQ_API_KEY / HF_TOKEN exposure, .env files |
| Backup & Snapshot Services | Velero, restic REST server, Barman, Longhorn, model weights and training data in unprotected snapshots |
| Container & Orchestration | Docker daemon, Kubernetes, kubelet, etcd, Consul, Vault |
| GPU & Compute Dashboards | NVIDIA DCGM, Ray dashboard, RunPod, Vast.ai, GPUStack |
These categories close the gaps in the AI/ML infra map. Each maps to fingerprints, queries, exposure patterns, and detection logic the same way the core categories do.
| Category | Examples | Coverage |
|---|---|---|
| Auth / Access Control / Rate Limiting | Kong, Tyk, Apigee self-hosted, OPA / OPAL, Casbin, Authelia, Authentik, OIDC providers, service-account RBAC | not-yet |
| Network Perimeter & Service Mesh | Istio / Linkerd / Cilium control planes, zero-trust proxies (Pomerium, BastionZero), L7 firewalls, mTLS service mesh | not-yet |
| Safety / Guardrail & Policy Engines | LlamaGuard, NeMo Guardrails, Lakera Guard self-hosted, Guardrails AI, Garak (DONE-NEGATIVE), Protect AI, Robust Intelligence | partial (Garak only) |
| Governance, Compliance & Audit Logging | OpenPolicyAgent, Open Metadata, DataHub, Apache Atlas, Marquez lineage, audit-log aggregators specific to model usage | not-yet |
| Evaluation, Benchmarking & Regression Harnesses | Promptfoo, DeepEval / Confident AI, AILuminate, OpenAI Evals self-hosted, Helm test harness, LLM eval-as-a-service | not-yet |
| Model Registry & Lineage Services | MLflow Model Registry (partial), HuggingFace TGI registry, Comet ML registry, Sagemaker Model Registry-style self-hosted, BentoML registry | partial |
| Experiment Tracking Systems | W&B self-hosted, ClearML server (8080/8081/8008), Comet ML, Neptune.ai, Aim, Sacred | not-yet |
| Workflow & Event Orchestration (LLM lifecycle) | Temporal (LLM-eval, RAG-refresh use), Prefect (4200), Dagster, Argo Workflows for retraining, Apache Beam pipelines, Kafka/NATS/PubSub for event-driven RAG | not-yet |
| Cost, Billing & Usage Analytics | OpenMeter, Lago, Helicone cost analytics, Langfuse analytics, internal showback/chargeback dashboards, per-tenant token meter | not-yet |
| Feature Stores & Long-Term Memory | Feast, Tecton OSS, Hopsworks, Mem0, Letta / MemGPT, Zep, agent-memory stores distinct from vector DBs | not-yet |
| Data Labeling & Annotation Systems | doccano (DONE), Argilla, Label Studio, Prodigy, CVAT, RLHF preference-data tools, ground-truth labeling pipelines | partial (doccano done) |
| Classical ML & Auxiliary Model Services | Recommenders, ranking systems, spam/abuse classifiers, fraud-detection models, personalization engines that sit beside LLMs | not-yet |
| On-Device & Edge Inference | Browser-side WebGPU model runtimes, mobile inference frameworks (Core ML / TensorFlow Lite), model-distribution + integrity-verify services for edge devices | not-yet |
| Secrets Management & Configuration | HashiCorp Vault (covered in Containers), Bitwarden / Vaultwarden, AWS Secrets Manager-style self-hosted, config servers (Consul partial), LaunchDarkly OSS, feature-flag servers controlling model routing | partial |
.
├── reference/ # Tool-agnostic reference material
│ ├── ports.md # Common AI/LLM infrastructure ports
│ └── terminology.md # AI/ML stack terminology primer
├── shodan/ # Shodan query reference
│ ├── Shodan_AI_Reference.pdf # Polished PDF (v2.1, April 2026)
│ └── queries/ # Per-category markdown sources
│ ├── 01-llm-orchestration.md
│ ├── 02-vector-databases.md # incl. Object Storage & Artifact Stores
│ ├── 03-model-serving.md
│ ├── 04-training-experiments.md
│ ├── 05-gateways-monitoring.md
│ ├── 06-agent-frameworks.md
│ ├── 07-rag-stacks.md
│ ├── 08-image-generation.md
│ ├── 09-code-assistants.md
│ ├── 10-mcp-servers.md
│ ├── 11-credential-leaks.md
│ ├── 12-containers.md
│ ├── 13-backup-snapshot.md
│ ├── 14-gpu-compute.md
│ ├── 15-fingerprinting.md
│ └── appendix-cve.md
├── tools/ # Attack surface research & PoC tooling
│ ├── ollama-model-injection.md # Unauthenticated /api/create injection (all versions)
│ ├── ollama-ssrf.md # SSRF via /api/pull private registry URLs
│ ├── ollama-connect-takeover.md # Cloud account takeover via leaked signin_url
│ ├── hexstrike-ai-chain.md # Model injection → RCE chain (HexStrike AI)
│ ├── ollama-recon-findings.md # Recon methodology & scan findings
│ ├── ollama-recon.py # Scanner: enumerate, inject-test, cloud hunt
│ └── bypass-prompts.json # System prompt bypass corpus
├── data/ # Scan outputs (gitignored sensitive fields)
│ └── ollama-findings.md # Human-readable scan findings
├── case-studies/ # Real-world exposure writeups
│ ├── universities/ # University AI infrastructure exposures (57 case studies)
│ │ ├── index.md # Index + discovery methodology
│ │ ├── US/ # United States (11 case studies)
│ │ │ ├── IN-purdue-northwest.md # Purdue NW - account takeover, user-ID embedded sales models
│ │ │ └── NC-duke.md # Duke - agent model + file inspection tools
│ │ └── international/ # All other countries (46 case studies, 28 countries)
│ │ ├── KR/ # South Korea - POSTECH, SNU, Yonsei, INHA, Kyungpook
│ │ ├── TW/ # Taiwan - TANet 18-node cluster, NTU, NCKU, FJU, NCU
│ │ ├── VN/ # Vietnam - Hanoi, VNU HN, VNU HCMC
│ │ └── ... # 25 more countries: see index.md
│ ├── critical-infra/ # Critical infrastructure exposures
│ │ ├── US-GA-cartersville-city.md # City of Cartersville - Windows, cloud proxy
│ │ └── US-TN-meriwether-lewis-ec.md # Electric cooperative - 235B model
│ ├── k12/ # K-12 school district exposures
│ │ └── US-NJ-hts-k12-dvrc.md # NJ school district (DVRC) - 5 cloud proxies
│ ├── hts-k12-nj-open-webui.md # (legacy path - see k12/)
│ └── ollama-enterprise-exposures.md # Enterprise/critical-infra targets (2026-05-01)
├── censys/ # Censys equivalents (planned)
├── fofa/ # FOFA queries (planned)
├── zoomeye/ # ZoomEye queries (planned)
├── dorks/ # Google / GitHub dorks (planned)
├── nuclei-templates/ # Detection templates (planned)
├── DISCLAIMER.md
├── CONTRIBUTING.md
└── LICENSE
Browse by category:
- Shodan Query Index, 15 categories + CVE cross-reference appendix
- Common AI/LLM Ports Reference
- AI/ML Terminology Primer
- Download the polished PDF reference (v2.1)
Active research:
- 2026-05 Cross-Survey Synthesis ⭐, 15 platform classes, ~5,000 deployments surveyed across DO/Hetzner/Vultr; the auth-off-default thesis with positive controls (MinIO, Dify) and active-attack-progression evidence
- Commercial AI Infrastructure Exposures Index, 15 platform-class surveys + per-instance high-impact case studies
- Ollama Enterprise Exposures, Case Study, 11 enterprise/critical-infra targets confirmed vulnerable (2026-05-01)
- University AI Exposures, 57 case studies across 29 countries; 10 account takeovers, 20+ cloud proxy nodes, organized by country (
KR/,US/,VN/, ...)- Notable: POSTECH synchrotron beamline (
4gsr-beamline-ws, PAL 4th-gen light source), 235B Qwen3 model + live account takeover - Shiv Nadar University, 3-node cluster, chest X-ray AI (
lungsvlm/ VinDr-CXR), abliterated models, 18 cloud subscriptions - TANet Taiwan, 18-node multi-institution cluster across NTU/NCCU/NTHU/FJU/NCKU, account takeover, 5G security research system prompt
- India NIB / BSNL National Backbone, qwen2.5-coder:32b coding cluster on national telecom backbone infrastructure
- Purdue NW, account takeover + user-ID embedded fine-tuned sales models (multi-tenant platform exposure)
- Notable: POSTECH synchrotron beamline (
- K-12 Education, NJ DVRC, Open WebUI bypass, 5 cloud proxy subscriptions, student data at risk
- Critical Infrastructure, City of Cartersville, local government, Windows, DeepSeek cloud proxy
- Critical Infrastructure, Meriwether Lewis Electric, rural electric coop, 235B model, unauthenticated
- Open WebUI Auth Bypass, UI auth on port 3000 does not protect Ollama port 11434
- Cloud Proxy Quota Hijacking, operator API subscriptions drained via unauthenticated inference
- Ollama Unauthenticated Model Injection, all versions, no patch
- Ollama Connect Account Takeover, cloud subscription hijacking via leaked signin_url
- HexStrike AI → RCE Chain, model injection → shell execution via trust confusion
The 2026-05 cross-survey was produced end-to-end by the NuClide tool stack, discovery → fingerprint → enumeration → findings ledger → compliance scoring → adversarial corpus generation. Each stage is its own focused tool; VisorPlus is the orchestrator that chains them.
| Stage | Tool | Repo | What it does |
|---|---|---|---|
| Orchestrator | VisorPlus | Nicholas-Kloster/VisorPlus | Single CLI that chains JAXEN → VisorSD → VisorCorpus → BARE → aimap into one workflow (visorplus full <dork>) |
| Discovery (Shodan) | VisorSD | Nicholas-Kloster/VisorSD | ~20 hardcoded AI/LLM exposure dorks ranked by severity; visorsd -org "Acme" returns scored hits |
| Discovery (Shodan harvest) | JAXEN | Nicholas-Kloster/JAXEN | Hunts a Shodan dork and harvests live hosts into empire.db |
| Discovery (gov TLD) | VisorGoose | Nicholas-Kloster/VisorGoose | Government-TLD AI discovery via CT logs + Shodan + DNS |
| Discovery (graph) | VisorGraph | Nicholas-Kloster/VisorGraph | Seed-polymorphic recon engine; input IP/CIDR/domain/ASN/cert-FP; output typed provenance graph with rule-based exposure classification |
| Fingerprint + deep enum | aimap | Nicholas-Kloster/aimap | Fingerprints 69 AI/ML services + 36 dedicated deep enumerators (PII, unauth RCE, exposed creds, claimable admin states). v1.9.12 - v1.9.16 added 3 Docker-registry catalog-content classifiers (Jetson, Healthcare with 7-language coverage, Finance / algotrading) for side-channel operator attribution per Insight #33 |
| Findings ledger | VisorLog | Nicholas-Kloster/VisorLog | ECS-normalized SQLite store with append-only lifecycle (open → disclosed → acknowledged → remediated → verified); ingests NDJSON from any of the above. The 746 findings (across 741 unique hosts, as of 2026-05-09) in the cross-survey ledger live in data/nuclide.db here |
| Compliance scoring | VisorScuba | Nicholas-Kloster/VisorScuba | OPA/Rego policies (CISA ScubaGear-inspired) → ScubaGear-style 0–10 compliance score per node against the NuClide AI Security Baseline |
| Exploit ranking | BARE | Nicholas-Kloster/BARE | Semantic search of scanner findings against an embedded Metasploit corpus (3,904 modules); pipe nuclei/nmap/Shodan adapters in, get ranked exploit modules out, offline, no Python runtime |
| Adversarial RAG/LLM corpus | VisorCorpus | Nicholas-Kloster/VisorCorpus | Generates structured adversarial test cases (prompt injection, kb_exfiltration, tenant_cross_leak, system_prompt, jailbreak, config_secrets) for downstream RAG/LLM red-team validation |
| Agentic LLM benchmark | VisorAgent | Nicholas-Kloster/VisorAgent | Delivers adversarial prompts through real tool-use paths (web_fetch, doc_retrieve, code_exec, email_send); pass/fail per signal |
| Process-injection benchmark | VisorHollow | Nicholas-Kloster/VisorHollow | Detection benchmark for process-injection techniques on Windows x64; 6-tier ladder coverage matrix |
| Banner / aesthetics | artisan | Nicholas-Kloster/artisan | Go CLI: FIGlet banners + asciiart.eu gallery scraper for tooling output |
For each platform class in the 2026-05 cross-survey:
masscanscoped to the 28 cloud /16 ranges produced raw IP hits (one port per platform)- Custom Python probes (
/tmp/<platform>-probe.py, 200-thread) fingerprinted each platform via its distinctive endpoint shape,/v2/vectordb/collections/listfor Milvus,/api/versionfor Open WebUI / MLflow / Ray,/v1/modelsfor vLLM,/_stcore/host-configfor Streamlit,/api/tagsfor Ollama, etc. - Schema/metadata enumeration captured per-instance detail (collections, models, registered models, experiments, version, RBAC state), metadata only, no payload exfiltration where avoidable
- VisorLog NDJSON ingest loaded confirmed findings into
data/nuclide.dbwith severity tiering driven by content sensitivity - VisorScuba scored every node against the NuClide AI Security Baseline (Rego policies); HTML report at
data/scuba-report-2026-05-03.html - VisorCorpus generated a 137-case adversarial corpus targeting the Class-A reseller-proxy + RAG-exfiltration threat classes; bundled at
data/visorcorpus-chromadb-rag-adversarial-2026-05.jsonfor affected operators to test their own defenses - Cross-survey synthesis (
SYNTHESIS-2026-05.md) pulled all 15 platform writeups into the auth-on-default-vs-off pattern with positive/negative controls
The full data/nuclide.db SQLite ledger is committed to the repo. Anyone with the toolchain can run visorlog --db data/nuclide.db query --severity critical to triage from the ledger directly, or visorscuba --db data/nuclide.db assess --json to re-score against current OPA policies.
Search across all queries:
git clone AI-LLM-Infrastructure-OSINT
cd AI-LLM-Infrastructure-OSINT
grep -r "qdrant" shodan/queries/
grep -rn " T1 " shodan/queries/ # all unauth-by-default queriesEvery query in v2.x is tagged with an exposure tier:
- T1, Unauthenticated by default. A positive hit is typically a live, interactive target.
- T2, Requires misconfiguration or has known auth-bypass CVEs. One additional probe confirms exposure.
- T3, Recon / fingerprint only. Use for inventory and pivoting, not as an immediate finding.
See shodan/README.md for the full legend.
35 numbered methodology insights produced by the 2026-05 survey series, each derived from a specific survey or incident and captured for independent citation. See methodology/ for the full index. Recent highlights:
- Insight #28: survey shelf-life and exposure-to-extortion timing. The window between exposure publication and active exploitation is shorter than disclosure SLAs.
- Insight #30: 83.3% operator persistence at the 4-day window in low-attacker-pressure ecosystems. Catalogue findings have a useful disclosure window measured in weeks, not hours.
- Insight #31: app-builder tools brand the OUTPUT, not the AGENT. Stage-2 verify probes anchoring on body text catch generated apps; anchor on agent API contract instead.
- Insight #32: multi-service deception fleets emulate target-specific services for Shodan scanners by rotating titles per request. Filter on body markers + response size, not Shodan title alone.
- Insight #33: side-channel attribution via Docker registry catalog content when direct fingerprinting fails. Operator-authored content (image names) beats vendor banners.
- Insight #35: side-channel attribution has high precision and low recall. Use it for targeted investigation, not population discovery. Validation cohorts overstate the population yield by ~1000x.
The full set numbered #1 - #35 covers verification discipline, protocol-strict honeypot filtering (#1), conjunctive marker-anchored matchers (#6, applied at body-text matchers AND repo-name classifiers), source-code-is-authority (#11), IP-direct-shadow (#12), shipping-defaults-are-load-bearing (#13), dork-hits-vs-platform-instances (#15), status-code-is-not-identity (#16), and more.
- Operator brand: tweet-optimize.com / "Twitter Forecast" (legal entity per ToS), Danish registrant, Hetzner Helsinki origin
- Exposure: Milvus on
65.108.107.240:19530and:9091, fully unauth; 897K + 313K facial embeddings (onlyfans+psoscollections) with bbox + MongoDB references; functional doxing primitive against creators via/v2/vectordb/entities/search - Disclosed to: Operator (via
/contactform), Fenix International / OnlyFans (privacy@onlyfans.com+ EU GDPR rep), Hetzner abuse, Finnish DPA (Tietosuojavaltuutettu), all 2026-05-03 - Status: Exposure remains live as of last re-probe; counts unchanged. See
disclosure log. - Public evidence pack: evidence/tweet-optimize-2026-05-03/, 8 screenshots + 33 raw probe artifacts + SHA-256 manifest + Internet Archive Wayback snapshots
- Affected:
138.197.152.103(MLflow 2.2.1) +159.203.110.202(MLflow 2.9.2), both DigitalOcean - Active exploitation observable: attacker-injected experiments with
artifact_location: http:///?/../../../../../etc/and/root/.ssh/; same attacker UUIDs span both hosts (population-scale CVE-2023-1177 sweep) - Attack progressing: 138.197.152.103 grew from 10 → 20 attacker-experiments in ~24h between probes
- Disclosure: drafted to DigitalOcean abuse channel; ready to send
- Affected: All Ollama versions (no authentication on
/api/createin any release) - CVE-2025-63389, filed 2025-12-18, scoped ≤v0.13.5. Scope is incorrect: confirmed live on v0.13.5 → v0.22.0.
first_patched_version: null. - Scale: 227,715 exposed instances on Shodan as of 2026-05-01
- Enterprise targets confirmed: US electric utility co-op [CISA notified, identity withheld], Oracle Corporation infra, Azure IBM Granite RAG pipelines, GCP autonomous agent deployment, OVH cybersecurity product company, AWS managed instances
- Public disclosure: 2026-07-30 (90-day window)
- Contact: nicholas@nuclide-research.com
Secondary findings in coordinated disclosure:
- SSRF via
/api/pull(CVE-2026-5530), OOB DNS + internal port detection - Ollama Connect account takeover, cloud subscription hijacking via leaked
signin_url - HexStrike AI RCE chain, model injection → trust confusion → Flask
/api/commandshell exec
This repo is designed to work as a live context source for Claude Code. Drop the following prompt into any Claude Code session to turn it into a guided AI infrastructure OSINT analyst, it'll use the queries, findings, and tooling here as its working reference.
Copy-paste starter prompt:
You are an AI/LLM infrastructure security analyst. I've cloned the AI-LLM-Infrastructure-OSINT
repository at ~/AI-LLM-Infrastructure-OSINT/. Use it as your primary reference.
Read the following files to orient yourself:
- README.md - repo overview and active disclosure status
- shodan/queries/ - query catalog by category
- tools/ollama-model-injection.md - active vulnerability (all Ollama versions)
- case-studies/ollama-enterprise-exposures.md - confirmed enterprise targets
My objective: [describe your target or task here]
Start by reading the relevant reference files, then help me build a query or probe strategy.
Use the tier system (T1/T2/T3) from the Shodan reference to prioritize.
For Ollama-specific recon:
I'm investigating an exposed Ollama instance at [IP]:11434.
Read tools/ollama-model-injection.md and tools/ollama-connect-takeover.md in my
AI-LLM-Infrastructure-OSINT repo, then help me:
1. Enumerate loaded models and detect cloud proxy access
2. Check for injectable system prompts
3. Test for the SSRF primitive via /api/pull
4. Assess if this matches any enterprise profiles in case-studies/
Tell me what you find and what to do next.
For defender asset discovery:
I need to find our org's exposed AI infrastructure before someone else does.
Read README.md in AI-LLM-Infrastructure-OSINT to understand the scope, then:
1. Help me build Shodan queries targeting our ASN or IP range
2. Identify which T1 (unauth-by-default) services I should prioritize checking
3. Generate a checklist of exposure patterns to verify internally
Focus on services that require no authentication by default.
Full process documentation for individual assessment runs: objective, tooling, methodology walkthrough, execution trace, findings with severity ratings, risk assessment, recommendations, and sanitised PoC illustrations. These sit alongside but are distinct from per-target case studies and generalizable methodology insights.
| Date | Analysis | Key Findings |
|---|---|---|
| 2026-05-22 | LLMOps Observability Stragglers + Evidently Fingerprint | Evidently Tier-A no-auth confirmed via Docker probe; aimap v1.9.24 shipped; Agenta open-signup verified 6/6; Langfuse :5432 / Opik / PromptLayer dispatched |
PRs welcome, see CONTRIBUTING.md. The bar is:
- Queries should be verifiable (you've seen them return real results).
- Tag every new query with an exposure tier (T1/T2/T3).
- Add a
Notescolumn when the query reveals something specific (auth state, version disclosure, snapshot exposure). - New categories should map to a real, deployed-in-the-wild AI/ML platform.
Read DISCLAIMER.md. Short version: this material is for authorized security research, defensive asset discovery, and threat hunting only. Touching infrastructure you don't own or have explicit permission to test is illegal in most jurisdictions. Don't.
Maintained by Nicholas Michael Kloster as part of NuClide, independent ICS/OT and AI infrastructure security research.
CISA disclosures: CVE-2025-4364 · ICSA-25-140-11
Companion tooling: see the NuClide Toolchain section above, VisorPlus orchestrator + 12 focused tools covering discovery, fingerprinting, deep enumeration, findings ledger, compliance scoring, and adversarial corpus generation.