Threat intelligence firm GreyNoise has observed large-scale probing activity targeting misconfigured proxy servers that could expose access to commercial large language model (LLM) APIs. The activity, recorded between October 2025 and January 2026, includes more than 91,000 attack sessions across two distinct campaigns. While some indicators suggest possible security research or bug-hunting activity, GreyNoise warns that the reconnaissance patterns are consistent with preparation for broader exploitation.

As organizations rapidly integrate LLMs into applications and workflows, access to model APIs has become both valuable and sensitive. Misconfigured proxies, server-side request forgery (SSRF) flaws, and poorly protected connectors can inadvertently expose backend credentials, allowing unauthorized use of paid or restricted AI services. This emerging attack surface is increasingly attractive to threat actors seeking scalable abuse or monetization opportunities.

GreyNoise honeypots detected two major probing campaigns over a three-month period.

The first campaign began in October 2025 and leveraged ProjectDiscovery’s out-of-band application security testing (OAST) infrastructure. Activity spiked during the Christmas holiday period, with highly uniform request patterns suggesting automated tooling. Based on the infrastructure used, GreyNoise assesses that this campaign may be linked to security researchers or bug hunters, though grey-hat activity cannot be ruled out.

The second campaign started on December 28 and generated 80,469 attack sessions over just 11 days. This wave focused on identifying misconfigured proxies capable of exposing access to LLM APIs.

The attackers performed reconnaissance against more than 70 LLM endpoints, issuing benign-looking test queries designed to identify which models responded without triggering security alerts. Targeted models included offerings from OpenAI, Anthropic, Meta, Google, Mistral, Alibaba, and xAI.

Both campaigns originated from two IP addresses previously associated with exploitation attempts against more than 200 known vulnerabilities, including CVE-2025-55182 (React2Shell) and CVE-2023-1389, a command injection flaw affecting TP-Link routers. This overlap suggests shared tooling or infrastructure rather than isolated testing.

While no confirmed API compromises have been publicly disclosed, successful exploitation of misconfigured proxies could allow attackers to:

Even limited exposure could result in significant financial costs or data leakage for affected organizations.

This activity highlights a growing security blind spot in AI adoption: infrastructure surrounding LLMs is often less mature than the models themselves. As organizations race to deploy AI capabilities, configuration errors can quietly introduce high-impact risks that traditional security controls may not yet fully address.

GreyNoise notes that the deliberate use of harmless test queries strongly suggests reconnaissance rather than immediate exploitation. Such behavior is commonly observed when attackers are mapping viable targets ahead of a larger campaign, allowing them to scale attacks rapidly once weaknesses are confirmed.