By ByteBot
Over 91,000 attack sessions targeted AI infrastructure between October 2025 and January 2026, with a Christmas spike of 1,688 sessions in just 48 hours. But the real threat isn’t just attacks on LLMs—it’s LLMs themselves being weaponized for autonomous exploit generation. Threat actors have discovered that by manipulating large language models through prompt injection and data poisoning, they can bypass safety mechanisms and produce functional exploit code without needing deep technical expertise. GPT-4 now exploits 87% of one-day vulnerabilities autonomously, compared to 0% for traditional security scanners. Developers face a triple threat: attacks on LLM infrastructure, LLMs as exploit generators, and AI-generated code riddled with security flaws.
91,000 Attack Sessions: The Scale of LLM Infrastructure Targeting
GreyNoise’s honeypot infrastructure documented 91,403 attack sessions between October 2025 and January 2026, revealing two distinct campaigns that expose how aggressively adversaries are probing AI deployments. The first campaign exploited server-side request forgery vulnerabilities via Ollama model pulls and Twilio webhooks, hitting a dramatic spike over Christmas—1,688 sessions in just 48 hours on December 25. Attackers don’t take holidays.
Moreover, the second campaign, starting December 28, showed even more sophistication. Just two IP addresses generated 80,469 sessions across 11 days, methodically probing over 70 LLM endpoints including OpenAI, Anthropic, Meta, Google, and DeepSeek. The test queries remained deliberately innocuous to evade detection: “hi” appeared 32,716 times, “How many states are there in the United States?” appeared 27,778 times. Both attacking IPs have extensive CVE exploitation histories—over 4 million combined sensor hits across 200+ vulnerabilities. This isn’t reconnaissance; it’s fingerprinting at scale, and minimal infrastructure (two IPs) achieved massive reach.
The Weaponization: 87% Autonomous Exploit Success Rate
Research shows GPT-4 can autonomously exploit 87% of one-day vulnerabilities in real-world systems, compared to 0% for other LLM models and traditional open-source vulnerability scanners. Attackers manipulate LLMs through prompt injection, sophisticated pretexting, and data poisoning to bypass safety mechanisms and generate working exploit code without needing deep knowledge of memory layouts or system internals. The barrier to entry for LLM exploit generation has collapsed.
Meanwhile, OpenAI’s Aardvark autonomous security agent demonstrates the flip side of this capability: 92% detection rate on known vulnerabilities, discovering 10 CVE-worthy flaws in open-source projects. The AutoPentest framework completed 15-26% of penetration testing tasks on Hack The Box machines autonomously. The same technology defenders use to improve security is being weaponized by attackers. Traditional assumptions about attacker skill levels are obsolete when LLMs can automatically transform CVE descriptions into working exploits in hours instead of weeks.
AI Code Security Crisis: 45% Failure Rate
Veracode’s 2025 GenAI Code Security Report found that AI-generated code introduced security vulnerabilities in 45% of cases across 100+ large language models. Specifically, Java code showed a >70% security failure rate, while Python, C#, and JavaScript averaged 38-45% failure rates. LLMs failed to secure code against cross-site scripting in 86% of cases and log injection in 88% of cases.
Here’s the irony: AI coding assistants generate vulnerable code at scale, which LLM-powered attackers then exploit automatically. Furthermore, security performance hasn’t improved despite models dramatically improving at generating syntactically correct code—newer and larger models don’t generate more secure code than their predecessors. Organizations rushing AI adoption for developer productivity are unknowingly introducing security debt at massive scale.
The 45% flaw rate is unacceptable for security-critical systems, yet management pushes AI tools without understanding the risks. Veracode’s research shows integrating remediation tools and human oversight reduces flaws by over 60%, but how many teams actually implement that? Mandatory code review isn’t optional—it’s survival.
EchoLeak and Prompt Injection: Attacks in Production
EchoLeak (CVE-2025-32711, CVSS 9.3) demonstrated the first known zero-click attack on an AI agent. Researchers at Aim Security showed they could exfiltrate corporate data from Microsoft 365 Copilot by simply sending a specially crafted email—no user interaction required. The attack exploited an “LLM scope violation” where external untrusted input manipulated Copilot to autonomously access and leak chat logs, OneDrive files, SharePoint content, and Teams messages. Microsoft patched it in May 2025 with no evidence of wild exploitation, but the attack methodology reveals fundamental design flaws in how AI agents handle untrusted input.
Prompt injection isn’t a theoretical concern—OWASP’s 2025 Top 10 for LLM Applications ranks it as the #1 critical vulnerability, appearing in over 73% of production AI deployments assessed during security audits. Additionally, sophisticated pretexting techniques systematically dismantle safety guardrails by manipulating context-processing abilities using indirect requests rather than direct exploitation demands that trigger refusal filters.
Data poisoning amplifies the threat. Research shows poisoning just 250 documents in pretraining data can successfully backdoor LLMs ranging from 600M to 13B parameters. PoisonedAlign attacks strategically corrupt alignment samples, making models substantially more vulnerable to future prompt injection while maintaining normal benchmark performance—making manipulation difficult to detect. Consequently, the rise of multimodal AI, where instructions can be hidden in images accompanying benign text, will only expand the attack surface.
What Developers Must Do Now
Defensive measures exist but aren’t widely deployed. Restrict Ollama model pulls to trusted registries. Apply egress filtering to block SSRF callbacks. Block known OAST callback domains at DNS level. Implement runtime validation treating all LLM context as untrusted. Apply least-privilege principles for tool-enabled LLMs that can query databases, modify records, or trigger actions—these represent the highest risk category. Mandate human oversight for all AI-generated security-critical code, which reduces flaws by 60%.
In 2026, security incidents are increasingly tied to “emergent behavior” rather than discrete vulnerabilities. Business logic abuse is replacing traditional exploitation—attackers exploit assumptions about how workflows should behave, not malformed inputs. Additionally, the RAG layer is now identified as the weakest link in enterprise AI security. Traditional security tools that focus on SQL injection and XSS patterns miss these new attack vectors entirely.
The threat isn’t hypothetical. The 91,000+ attack sessions prove adversaries are actively probing LLM infrastructure. Developers can’t wait for vendors to fix this. The tools exist—egress filtering stops 80%+ of SSRF-based attacks, runtime context validation catches scope violation attempts, and rate limiting per IP prevents mass enumeration campaigns. Implementation is the problem, not capability.
Key Takeaways
- The scale is real: 91,403 attack sessions (Oct 2025 – Jan 2026) with 80,469 from just 2 IPs targeting 70+ LLM endpoints prove infrastructure is under active assault
- Exploit development is democratized: GPT-4’s 87% autonomous success rate vs 0% for traditional scanners eliminates the expertise barrier for attackers
- AI code is fundamentally insecure: 45% vulnerability rate across languages (Java >70%) means mandatory human review and remediation tools are non-negotiable
- Prompt injection isn’t theoretical: 73% of production deployments vulnerable, EchoLeak proves zero-click attacks work, data poisoning is undetectable
- Defense requires action now: Egress filtering, runtime validation, least-privilege for tool-enabled LLMs, and business logic abuse monitoring are immediate requirements
The same AI tools meant to boost productivity are generating exploits faster than security teams can patch them. That’s not a prediction—it’s happening now.
