Security researchers have uncovered a massive, largely unmonitored layer of artificial intelligence infrastructure after identifying more than 175,000 publicly accessible Ollama servers spread across 130 countries, raising serious concerns about the security of open-source large language model (LLM) deployments.
The findings come from a joint investigation conducted by SentinelOne SentinelLABS and Censys, which describes the exposed systems as an emerging “shadow AI compute layer” operating outside traditional enterprise security controls.
A Global Footprint of Unsecured AI Infrastructure
According to the analysis, the exposed Ollama instances are distributed across both cloud providers and residential networks, making them difficult to track and govern. China accounts for just over 30% of the exposed hosts, followed by significant concentrations in the United States, Germany, France, South Korea, India, Russia, Singapore, Brazil, and the United Kingdom.
Researchers noted that these systems frequently operate beyond the visibility of centralized security monitoring tools, creating blind spots for organizations deploying AI workloads at the edge.
Tool-Calling Capabilities Amplify the Risk
One of the most concerning findings is that nearly half of the identified Ollama servers advertise tool-calling functionality through their public APIs. Tool calling allows LLMs to execute code, interact with external APIs, and access connected systems—features that significantly expand their operational power.
“Tool-enabled endpoints fundamentally change the threat model,” researchers explained. “When exposed without authentication, they can move from generating text to executing privileged actions, which represents the highest-risk scenario we observed.”
In addition to text-based models, the investigation found exposed systems supporting advanced reasoning and vision capabilities, with more than 200 hosts running uncensored prompt templates that disable built-in safety controls.
Why Ollama Deployments Are Being Exposed
Ollama is an open-source framework designed to run LLMs locally on Windows, macOS, and Linux systems. By default, it binds to a local address, limiting access to the host machine. However, a simple configuration change—binding the service to a public network interface—can make the API accessible from the internet.
Because Ollama runs outside traditional platform-managed environments, it often bypasses security guardrails normally enforced by cloud AI providers. Researchers warn that this mirrors risks seen in other locally hosted AI tools that operate beyond enterprise perimeters.
LLMjacking Threats Move From Theory to Reality
The exposed servers are prime targets for LLMjacking, a form of abuse in which attackers hijack AI infrastructure to consume compute resources without authorization. Threat actors can use compromised endpoints to generate spam, conduct disinformation campaigns, mine cryptocurrency, or resell access to other criminals—leaving the infrastructure owner to absorb the costs.
Evidence suggests this threat is already active. A separate report by Pillar Security detailed an ongoing campaign, dubbed Operation Bizarre Bazaar, in which attackers systematically scan the internet for exposed Ollama instances, vLLM servers, and OpenAI-compatible APIs lacking authentication.
The operation reportedly validates exposed endpoints and resells access through a service operating as a unified LLM API gateway, offering discounted AI compute to buyers. Researchers attributed the campaign to a threat actor known as Hecker, also tracked as Sakuya or LiveGamer101.
A Governance Challenge for Edge-Deployed AI
The decentralized nature of the exposed Ollama ecosystem—particularly the large number of residential-hosted systems—complicates enforcement of standard security policies. Researchers warned that these deployments open new avenues for prompt injection attacks, malicious traffic proxying, and unauthorized automation.
As LLMs increasingly move closer to users and devices, the researchers stressed that AI services should be treated like any other externally accessible infrastructure.
“LLMs are no longer just generating text—they are translating instructions into actions,” the report concluded. “That makes strong authentication, network segmentation, and continuous monitoring essential, regardless of whether the deployment is cloud-based or running at the edge.”
