Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GreyNoise-observed LLM endpoint enumeration campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

GreyNoise observed a December 28 campaign that generated 80,469 sessions over 11 days while probing more than 73 exposed or misconfigured LLM endpoints. The activity used OpenAI-compatible and Google Gemini API formats with harmless low-noise queries to avoid security alerts. The pattern indicates organized reconnaissance for commercial LLM access, though there is no confirmed post-discovery abuse in the evidence.

Related Happenings

Proton Meet launches privacy-focused encrypted conferencing service

Security Tool/Service
First: 01.04.2026 01:42 Last: 01.04.2026 01:42 Sources 1

About this happening: **Proton Meet** launched as a **privacy-focused video conferencing service**, adding **end-to-end encrypted** calls for users who want an alternative to mainstream meeting platfor...

Open Happening

OpenAI Codex Security rolls out as a research-preview vulnerability-finding agent

Security Tool/Service
First: 07.03.2026 18:28 Last: 07.03.2026 18:28 Sources 1

About this happening: **OpenAI** began rolling out **Codex Security** in **research preview**, adding an AI security agent that can **find, validate, and propose fixes** for vulnerabilities. The rollou...

Open Happening

Google API keys Gemini single-service privilege escalation privilege-escalation flaw

Vulnerability
First: 26.02.2026 22:55 Last: 26.02.2026 22:55 Sources 1

About this happening: **Google API keys** exposed in public code became a **Gemini authentication weakness**, allowing copied keys to reach **private data** and incur **API charges** on victim accounts...

Open Happening

Google Gemini leaked API key mitigation

Advisory/Mitigation
First: 26.02.2026 22:55 Last: 26.02.2026 22:55 Sources 1

About this happening: **Google** is rolling out **mitigations for leaked API keys** that can reach **Gemini API** data, reducing the risk of unauthorized access and usage charges. New **AI Studio keys*...

Open Happening

DeepSeek, Moonshot AI, and MiniMax Claude capability-extraction campaign

Campaign
First: 24.02.2026 08:04 Last: 24.02.2026 08:04 Sources 1

About this happening: **DeepSeek**, **Moonshot AI**, and **MiniMax** ran an **industrial-scale campaign** to extract **Claude** capabilities, using **fraudulent accounts** and **commercial proxy servic...

Open Happening

Timeline

  1. 09.01.2026 21:56 2 articles · 4mo ago

    LLM endpoint enumeration begins on December 28

    Campaign Scope Update

    On December 28, 2025, a second campaign begins against exposed or misconfigured LLM endpoints, with two IP addresses systematically probing more than 73 model endpoints using OpenAI-compatible and Google Gemini API formats and low-noise queries intended to avoid security alerts.

    Show sources
    Open in new tab
  2. 09.01.2026 21:56 1 articles · 4mo ago

    GreyNoise discloses the LLM endpoint enumeration campaign

    Initial Disclosure

    GreyNoise discloses that threat actors are hunting misconfigured proxy servers to reach paid commercial LLM services, describing an ongoing late-December campaign that probed more than 73 LLM endpoints and generated over 80,000 sessions using low-noise prompts to avoid security alerts.

    Show sources
    Open in new tab