LLMjacking and MCP exposure: what IAM teams need to know

TL;DR: Exposed AI endpoints now behave like non-human identities with direct cost, data, and lateral-movement exposure, not just application risk, as Pillar Security says its honeypots captured 35,000 attack sessions over two months while attackers scanned exposed AI infrastructure, validated endpoints, and resold access through a criminal marketplace, and MCP servers created pivot paths into internal systems.

NHIMG editorial — based on content published by Pillar Security: Operation Bizarre Bazaar, the first attributed LLMjacking campaign with commercial marketplace monetization

Questions worth separating out

Q: How should security teams handle exposed AI endpoints in production?

A: Treat exposed AI endpoints as governed non-human identities, not convenience services.

Q: Why do MCP servers increase lateral movement risk?

A: MCP servers increase lateral movement risk because they connect models to files, databases, shells, and APIs through delegated permissions.

Q: What breaks when AI endpoints have no authentication?

A: When AI endpoints have no authentication, attackers can probe model behaviour, run unauthorized inference, and use the service as a paid compute resource at the defender's expense.

Practitioner guidance

• Inventory all externally reachable AI endpoints Scan for Ollama, vLLM, OpenAI-compatible APIs, and MCP servers that are reachable from the internet or from untrusted network zones.
• Enforce authentication on every model-facing interface Require valid credentials for inference endpoints, model gateways, and administrative panels.
• Restrict MCP server trust to the minimum delegated scope Separate MCP servers from public networks, limit their file, database, and API privileges, and review every integration that allows a model to reach internal systems.

What's in the full article

Pillar Security's full research covers the operational detail this post intentionally leaves for the source:

• The full attack timeline for Operation Bizarre Bazaar, including scanning, validation, and marketplace stages.
• Indicator-level detail for the silver.inc infrastructure and associated attacker behaviour.
• The complete list of IOCs and the specific network ranges called out in the investigation.
• The MITRE ATLAS and OWASP mapping used to classify the observed techniques.

👉 Read Pillar Security's analysis of Operation Bizarre Bazaar and exposed AI endpoint abuse →

LLMjacking and MCP exposure: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →