From Open Servers to Phishing Pages, Large Language Models Are Turning Into Host Risks

Writer: Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

Editor: Lillian Castro

Lillian Castro, Senior Editor

Lillian Castro brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

Reviewer: Cristian Lopez

Cristian Lopez, News Manager

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.
Follow Us:
2.7k
1k

Cyberattacks targeting LLMs are on the rise. On Sept. 2, Cisco Talos uncovered more than 1,100 Ollama servers open for access, leaving nearly 20% active hosting stacks at risk.

At the same time, cybersecurity company Proofpoint has flagged tens of thousands of phishing campaigns built on AI builder Lovable’s platform, including a June campaign that had more than 3,500 fake UPS pages.

Ari Weil, Cloud Evangelist at Akamai
Ari Weil, Cloud Evangelist at Akamai

That’s followed by news of researchers from Tel Aviv who proved how “poisoned” Google Calendar invitations could trigger Gemini to obey hidden instructions.

None of these are novel instances, nor will they be the last. In fact, a 2025 study found that 76% of LLM platforms rely on dependencies with known vulnerabilities, with some having been unpatched for years.

But the larger issue isn’t about distrust of AI at all: It’s the way third-party platforms built on top of it can be weaponized — not just creating problems for customers, but infiltrating the hosting infrastructure itself.

Ari Weil, Cloud Evangelist at Akamai told HostingAdvice, hosting providers won’t be able to treat AI abuse as someone else’s problem.

“Hosting providers have a responsibility to provision well-architected solutions, and that includes security, since they can also provide a platform for malicious actors,” said Weil. “Providing guidance, support, and making value-add services available on their platforms for their users are going to become expectations.”

The Campaigns in Question

Local Models = Global Problem

Using Shodan — a search engine that indexes internet-connected devices — Cisco Talos found more than 1,100 Ollama servers exposed online with no authentication (passwords/logins, MFA, etc.).

Cisco Talos used Shodan to identify 1,000+ vulnerable LLM servers. Credit: Cisco

Cisco Talos emphasized that this kind of vulnerability could lead to hijacking the model itself, allowing jailbreaking, backdoor injections, and lateral movements inside the networks.

That means anybody can connect and use them.

In fact, about 80% of the detected instances in Ollama are dormant; the rest could still be hijacked. The exposures span the U.S., China, and Europe.

But what’s perhaps more concerning is who’s relying on Ollama: Those on tight budgets are drawn to it because it’s cheap and fast.

In one study of developers in India, running local LLMs through Ollama doubled their speed in prototyping experiments. Massive prompting without the proper security protocols only expands the attack surface.

Lovable’s Cybersecurity Flaw

Security research firms Proofpoint and Guardio Labs have documented several attacks tied to Lovable, an LLM website and app builder, since the beginning of 2025.

This includes thousands of phishing emails from fraudulent UPS sites, fake Microsoft login forms, crypto theft, and malware delivery via fake invoice portals. Lovable told BleepingComputer that it’s taken down around 300 malicious sites so far.

An illegitimate UPS phishing email hosted on Lovable. More than 3.5 billion phishing emails are sent out each day. Image source: Proofpoint

Proofpoint first flagged widespread credential-phishing campaigns using Lovable links back in February 2025. By April, Guardio Labs demonstrated how easily Lovable could be manipulated to produce convincing phishing pages compared to ChatGPT and Claude (both of which refused due to a violation of their policies).

But here’s what Lovable’s LLM said:

Guardio’s caption for this test reads: “Lovable quickly creates the scampage, no questions asked.”

As for Lovable’s response, it looks like it came in the form of a new, updated security feature: Security Checker 2.0. The system allegedly now blocks more than 1,000 “rule-breaking projects” per day.

“Invitation Is All You Need”

Last month, three cybersecurity researchers — Ben Nassi, Stav Cohen, and Or Yair — tested Google’s defenses by booby-trapping calendar invites.

The malicious invite contained text that looked normal to the average user, but it carried unseen prompts that Google’s LLM, Gemini, interpreted as commands. Once Gemini summarized or processed the invite, it acted on the instructions.

The tests were somewhat benign — triggered smart home devices and initiated Zoom calls via integrations — but security researcher Johann Rehberger said they’re proof of what cyberattackers could do at scale.

When a user asks a Gemini assistant about their messages, the injected prompt hijacks its context and can trigger actions like turning on smart devices, recording Zoom calls, or exposing location data. Credit: Google.com

“They really showed at large scale, with a lot of impact, how things can go bad, including real implications in the physical world with some of the examples,” Rehberger told WIRED.

The Gemini calendar exploit — nicknamed “Invitation Is All You Need” — is a single proof-of-concept Google rushed to patch.

In an official response, Google said it is deploying mitigations such as machine-learning-based prompt detection, output filtering, and mandatory user confirmations for sensitive actions.

A similar case came from cybersecurity consultancy Trail of Bits, which discovered hidden prompts embedded in images that only revealed themselves when the files were downsized. Since most systems downsize images by default, that age-old resizing process becomes an entry point to the network.

The Bigger Picture

Attackers have always leaned on trusted platforms, but because customers usually aren’t the first to distinguish between “where a site was built” and “where it’s hosted,” it’s easy for malicious domains to bypass user skepticism.

The difference now is that AI platforms let attackers create convincing campaigns in minutes, which makes it that much harder to keep bad actors and abuse out of their networks.

So it’s not that AI tools are dangerous by default, but that a lot of people are experimenting with them on shareable infrastructure. With AI as part of the hosting landscape — a tool that has forever changed the trajectory of the internet — it’s all about preparation.

It’s why Weil suggests the industry needs to start thinking about what AI-specific security measures will look like.

“None exist today. There is inconsistent behavior exhibited by technologies and bot operators, even at the most basic level of whether and how to honor robots.txt,” said Weil, noting that, while organizations like the IETF are beginning to study the problem, it will be a long time before any solutions emerge.

In the meantime, it will be up to hosts to bear the brunt of protection.

About the Author

Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

« BACK TO: BLOG

Meet the Experts

Our team of experts with a combined 50+ years of experience in web hosting serve insight and advice to more than 20 million users!

We Know Hosting

$

4

8

,

2

8

3

spent annually on web hosting!