Attackers Scan for Exposed Self-Hosted Anthropic Models

Security researchers at SANS Internet Storm Center have detected scanning activity targeting exposed Anthropic API endpoints, signaling growing attacker interest in misconfigured self-hosted AI deployments. The reconnaissance, spotted across multiple network sensors, used generic credentials to probe for accessible Claude model installations.

What the Scans Look Like

SANS Dean of Research Johannes Ullrich documented the activity in a February 2 diary entry. The initial probes used a basic HTTP GET request to /anthropic/v1/models with standard Anthropic API headers and a placeholder API key set to "password"—a credential commonly found in documentation examples.

Subsequent requests targeted /v1/messages endpoints, though Ullrich noted this URI pattern is generic enough that it may overlap with other API services.

Element	Details
Primary Source	204.76.203.210 (Tor exit node)
Secondary Source	154.83.103.179
Target	Self-hosted Anthropic model instances
Credential Used	Generic documentation API key

The use of a Tor exit node suggests attackers are attempting to mask their origin while conducting broad internet scans.

A Growing Attack Surface

This reconnaissance fits a pattern researchers have documented throughout 2025 and into 2026. Organizations rushing to deploy AI capabilities often leave endpoints exposed without proper authentication, creating targets for resource hijacking, data theft, and model exploitation.

A Cisco security scan last year found over 1,100 exposed Ollama endpoints within 10 minutes, with roughly 20% actively hosting models accessible without authentication. Tailscale CEO Avery Pennarun bluntly assessed the situation: "Security is last on their list of priorities" for many AI companies.

The risks from exposed AI endpoints include:

• Resource abuse: Attackers can run up compute costs or burn through API quotas
• Model extraction: Repeated queries can reconstruct model parameters
• Policy bypass: Using someone else's AI for tasks that commercial providers refuse
• Infrastructure pivot: Compromised AI servers become launching points for further attacks

These concerns aren't theoretical. Security firm Pillar recorded over 35,000 attack sessions against AI honeypots over a 40-day period, uncovering an operation called "Bizarre Bazaar" that monetizes hijacked AI endpoints.

Why Self-Hosted AI Gets Exposed

The appeal of running AI locally is real—organizations in regulated industries or with strict data sovereignty requirements often need models that never phone home. But self-hosting introduces security challenges that cloud-managed services handle behind the scenes.

Common misconfiguration patterns include:

1. Deploying frameworks like Ollama or vLLM with default settings that lack authentication
2. Exposing management interfaces directly to the public internet
3. Using documentation-style credentials in production
4. Skipping TLS encryption for "internal" services that aren't actually internal

A large-scale analysis of public-facing LLM deployments found over 320,000 accessible services across 15 frameworks. More than 40% used plain HTTP, and over 210,000 lacked valid TLS metadata. Some frameworks responded to over 35% of unauthenticated API requests.

The Anthropic-Specific Angle

The scanning activity specifically targets Anthropic's API format, suggesting attackers are cataloging which organizations run local Claude deployments. While Anthropic's commercial API requires authentication, self-hosted instances—whether using leaked weights, research models, or API proxies—often lack equivalent controls.

This comes amid broader security attention on Anthropic's ecosystem. A recent LangChain vulnerability demonstrated how AI orchestration frameworks can expose secrets, while researchers at PromptArmor showed Anthropic's Cowork tool could be exploited through prompt injection to exfiltrate files via the company's upload API.

Browser extensions have also targeted Claude conversations specifically—last December, Urban VPN and related extensions were caught harvesting AI chats from major platforms including Claude, ChatGPT, and Microsoft Copilot.

How to Protect Self-Hosted AI Deployments

Organizations running local AI models should treat them with the same rigor as any other production API. Recommendations include:

1. Never expose AI endpoints to the public internet without authentication. Use VPNs, bastion hosts, or solutions like Tailscale to restrict access
2. Implement API key rotation and never use default or documentation credentials
3. Enable TLS encryption for all model traffic, even on internal networks
4. Monitor for anomalous query patterns that might indicate extraction attempts
5. Audit access logs for connections from unexpected IP ranges or Tor exit nodes

For organizations that must expose AI APIs externally, rate limiting, IP allowlisting, and request logging become mandatory rather than optional.

What This Means for Defenders

The SANS observation confirms that attackers have added AI endpoint discovery to their reconnaissance playbooks. As CISA's recent advisories have emphasized across multiple sectors, visibility into your attack surface now includes cataloging AI deployments.

Security teams should inventory any AI-related services in their environment—authorized or shadow IT—and verify they aren't accidentally internet-accessible. The same scanning infrastructure probing for exposed databases and admin panels is now searching for your LLMs.

The credentials used in this campaign were generic, suggesting attackers are casting a wide net rather than targeting specific organizations. But the pattern has worked before: find exposed services, try default credentials, and exploit whatever responds. AI endpoints are just the newest entry on that list.