From Open Servers to Phishing Pages, Large Language Models Are Turning Into Host Risks

From Open Servers To Phishing Pages Ai Tools Are Turning Into Host Risks
Follow Us:
2.7k
1k

Cyberattacks targeting LLMs are on the rise. On Sept. 2, Cisco Talos uncovered more than 1,100 Ollama servers open for access, leaving nearly 20% active hosting stacks at risk.

At the same time, cybersecurity company Proofpoint has flagged tens of thousands of phishing campaigns built on AI builder Lovable’s platform, including a June campaign that had more than 3,500 fake UPS pages.

Ari Weil, Cloud Evangelist at Akamai
Ari Weil, Cloud Evangelist at Akamai

That’s followed by news of researchers from Tel Aviv who proved how “poisoned” Google Calendar invitations could trigger Gemini to obey hidden instructions.

None of these are novel instances, nor will they be the last. In fact, a 2025 study found that 76% of LLM platforms rely on dependencies with known vulnerabilities, with some having been unpatched for years.

But the larger issue isn’t about distrust of AI at all: It’s the way third-party platforms built on top of it can be weaponized — not just creating problems for customers, but infiltrating the hosting infrastructure itself.

Ari Weil, Cloud Evangelist at Akamai told HostingAdvice, hosting providers won’t be able to treat AI abuse as someone else’s problem.

“Hosting providers have a responsibility to provision well-architected solutions, and that includes security, since they can also provide a platform for malicious actors,” said Weil. “Providing guidance, support, and making value-add services available on their platforms for their users are going to become expectations.”

The Campaigns in Question

Local Models = Global Problem

Using Shodan — a search engine that indexes internet-connected devices — Cisco Talos found more than 1,100 Ollama servers exposed online with no authentication (passwords/logins, MFA, etc.).

Flow chart
Cisco Talos used Shodan to identify 1,000+ vulnerable LLM servers. Credit: Cisco

Cisco Talos emphasized that this kind of vulnerability could lead to hijacking the model itself, allowing jailbreaking, backdoor injections, and lateral movements inside the networks.

That means anybody can connect and use them.

In fact, about 80% of the detected instances in Ollama are dormant; the rest could still be hijacked. The exposures span the U.S., China, and Europe.

But what’s perhaps more concerning is who’s relying on Ollama: Those on tight budgets are drawn to it because it’s cheap and fast.

In one study of developers in India, running local LLMs through Ollama doubled their speed in prototyping experiments. Massive prompting without the proper security protocols only expands the attack surface.

Lovable’s Cybersecurity Flaw

Security research firms Proofpoint and Guardio Labs have documented several attacks tied to Lovable, an LLM website and app builder, since the beginning of 2025.

This includes thousands of phishing emails from fraudulent UPS sites, fake Microsoft login forms, crypto theft, and malware delivery via fake invoice portals. Lovable told BleepingComputer that it’s taken down around 300 malicious sites so far.

Fake email
An illegitimate UPS phishing email hosted on Lovable. More than 3.5 billion phishing emails are sent out each day. Image source: Proofpoint

Proofpoint first flagged widespread credential-phishing campaigns using Lovable links back in February 2025. By April, Guardio Labs demonstrated how easily Lovable could be manipulated to produce convincing phishing pages compared to ChatGPT and Claude (both of which refused due to a violation of their policies).

But here’s what Lovable’s LLM said:

Lovable LLM prompt screenshot
Guardio’s caption for this test reads: “Lovable quickly creates the scampage, no questions asked.”

As for Lovable’s response, it looks like it came in the form of a new, updated security feature: Security Checker 2.0. The system allegedly now blocks more than 1,000 “rule-breaking projects” per day.

“Invitation Is All You Need”

Last month, three cybersecurity researchers — Ben Nassi, Stav Cohen, and Or Yair — tested Google’s defenses by booby-trapping calendar invites.

The malicious invite contained text that looked normal to the average user, but it carried unseen prompts that Google’s LLM, Gemini, interpreted as commands. Once Gemini summarized or processed the invite, it acted on the instructions.

The tests were somewhat benign — triggered smart home devices and initiated Zoom calls via integrations — but security researcher Johann Rehberger said they’re proof of what cyberattackers could do at scale.

Flowchart
When a user asks a Gemini assistant about their messages, the injected prompt hijacks its context and can trigger actions like turning on smart devices, recording Zoom calls, or exposing location data. Credit: Google.com

“They really showed at large scale, with a lot of impact, how things can go bad, including real implications in the physical world with some of the examples,” Rehberger told WIRED.

The Gemini calendar exploit — nicknamed “Invitation Is All You Need” — is a single proof-of-concept Google rushed to patch.

In an official response, Google said it is deploying mitigations such as machine-learning-based prompt detection, output filtering, and mandatory user confirmations for sensitive actions.

A similar case came from cybersecurity consultancy Trail of Bits, which discovered hidden prompts embedded in images that only revealed themselves when the files were downsized. Since most systems downsize images by default, that age-old resizing process becomes an entry point to the network.

The Bigger Picture

Attackers have always leaned on trusted platforms, but because customers usually aren’t the first to distinguish between “where a site was built” and “where it’s hosted,” it’s easy for malicious domains to bypass user skepticism.

The difference now is that AI platforms let attackers create convincing campaigns in minutes, which makes it that much harder to keep bad actors and abuse out of their networks.

So it’s not that AI tools are dangerous by default, but that a lot of people are experimenting with them on shareable infrastructure. With AI as part of the hosting landscape — a tool that has forever changed the trajectory of the internet — it’s all about preparation.

It’s why Weil suggests the industry needs to start thinking about what AI-specific security measures will look like.

“None exist today. There is inconsistent behavior exhibited by technologies and bot operators, even at the most basic level of whether and how to honor robots.txt,” said Weil, noting that, while organizations like the IETF are beginning to study the problem, it will be a long time before any solutions emerge.

In the meantime, it will be up to hosts to bear the brunt of protection.