§ Research Library
Everything published
568 artifacts: 150 surveys and synthesis papers, 201 engagement records, 133 disclosures, 84 codified insights. Filter by type, sector, or search by title. The CRITICAL FINDINGS chip narrows the list to critical items.
Quick filters:
Showing all 568.
- Survey 2026-06-07 new
LangGraph Studio Population Survey — Local Dev Tool Misdeployed to Public AWS at 90.9%
LangGraph Studio (github.com/langchain-ai/langgraph) is LangChain's local-development debugger / visualizer for LangGraph applications. It is designed to run on localhost:2024 during development, with desktop auth-type m…
- Survey 2026-06-07 new
OpenHands Population Survey — Autonomous Agent Task History + LLM Config Exposed at Scale
OpenHands (github.com/All-Hands-AI/OpenHands, formerly OpenDevin) is an autonomous coding agent platform with multiple agent types (CodeActAgent, BrowsingAgent, VisualBrowsingAgent, ReadOnlyAgent, LocAgent, DummyAgent) t…
- Synthesis paper 2026-06-07 new
The Auth-on-Default Landscape of OSS AI/LLM Infrastructure
Two-day population survey across 13 OSS AI/LLM infrastructure platforms reveals a maintainer-culture-axis split between demo-first defaults (auth-permissive, 70-91% open) and enterprise-customer-first defaults (auth-required, 0-1%). The cohort is not jurisdiction-defined. Insight #76 scope-bounded to platform class; LLM02 Sensitive Information Disclosure is the dominant finding class; the Capitol.ai escalation demonstrates the maintainer-default failing at enterprise-SaaS scale; in-flight attacker /proc/self/environ activity directly observable on OpenHands instances.
- Engagement record Commercial 2026-06-07 new
Cat-29 Argo Workflows: :2746 probe sweep, 2026-06-07
Lane 1A of the 9-item 2026-06-07 plan. Goal: test whether port 2746 hosts an unauthenticated Shodan-dark tier among Argo Workflows operators whose :443 surface is gated by IAP/AzureAD. Method: parallel curl probes (5-sec…
- Engagement record Commercial 2026-06-07 new
DMARC Funding-Stage Proxy — Full-Registry Sweep N=410
Date: 2026-06-07. Cohort: full NuClide AI-infrastructure vendor registry (MASTER-port-vendor-registry.csv, 435 vendor names, 410 unique apex domains resolved after dedup and OSS filtering). Probe: dig +short TXT dmarc.<d…
- Engagement record Commercial 2026-06-07 new
MCP Servers and CrewAI — Negative Results with Methodology Value
Two attempted same-day surveys produced no actionable findings — but the failure modes are themselves research-program-relevant. Both reveal classes of AI/LLM infrastructure that are not surveyable with the population-Sh…
- Insight 2026-06-07 new
Insight #80: DMARC enforcement rate is a funding-stage proxy in AI-security vendors
DMARC policy strictness scales monotonically with funding stage in AI-security vendors:
- Insight 2026-06-07 new
Insight #81: The Docker Compose EHLO leak generalizes to a class of three MTAs (Haraka, Exim, Sendmail)
The Sluice Docker-Compose attribution leak (Haraka echoes service.projectdefault shorthand in its EHLO greeting because connection.js:844 reverse-resolves the connecting client and includes the PTR) is not a Haraka quirk…
- Insight 2026-06-07 new
Insight #82: API-gateway guardrail vendors emit vendor-branded error bodies at HTTP 400 without auth, by design. The error string IS the cheap-fingerprint banner.
API-gateway guardrail vendors return distinctive vendor-branded error bodies when the marker endpoint is called without authentication. The errors are not a security failure: they are deliberate developer-experience choi…
- Insight 2026-06-07 new
Insight #83: Inbox-agent guardrails in 2026 are per-operator OAuth clients in the customer's own tenant, not Workspace Marketplace addons. The right dork is cert-SAN, not Marketplace search.
The Cat-33 deep brief (2026-06-06) described Lane C as "Workspace addon as middleware" with the implicit assumption that Google Workspace Marketplace and Microsoft AppSource are the discovery surfaces. Three Lane C vendo…
- Insight 2026-06-07 new
Insight #84: Cloud-native guardrail wrappers expand operator blast radius in every case. No LiteLLM cloud-wrapper is fully transparent.
LiteLLM wraps three cloud-native guardrail surfaces (AWS Bedrock Guardrails, OpenAI Moderation, Azure Content Safety) plus one OSS framework (Microsoft Presidio). In each case, the underlying cloud or framework API is un…
- Insight 2026-06-07 new
Insight #85: Long-tail LiteLLM guardrail integrations are ~20% stubs. The discriminator is absence of a default api_base.
The LiteLLM guardrailhooks/ directory contains 41 vendor packages. Reading the LiteLLM integration source per vendor reveals two distinct integration shapes:
- Survey 2026-06-06 new
Bisheng Population Survey — Negative Result (Auth-Required Default)
Bisheng (github.com/dataelement/bisheng) is an open-source LLM application development platform from DataElem (Beijing), focused on enterprise-oriented document AI, RAG, agent orchestration, and workflow building. Direct…
- Survey 2026-06-06 new
Dify Population Survey — 939 Config-Disclosure, 9 Open Auth Findings
Dify is an open-source LLM application development platform (drag-and-drop workflow builder, RAG pipelines, agent orchestration). 2,289 Shodan-indexed instances on http.title:"Dify".
- Survey 2026-06-06 new
Flowise Population Survey — 578/841 Open, CVE-2024-36420 PoC Lab Exposed
Flowise is a drag-and-drop LLM workflow builder. Default deployment: no authentication on /api/v1/chatflows — the endpoint returns the full list of all configured chatflows, their nodes, deployment status, and embedded c…
- Survey 2026-06-06 new
Langfuse Population Survey — 816/918 Open Registration (88.9%)
Langfuse is an open-source LLM observability platform (trace ingestion, prompt analytics, evaluation tooling for production AI applications). 1,141 Shodan-indexed instances on "Langfuse" port:3000. 918 responded to live…
- Survey 2026-06-06 new
LibreChat Population Survey — 412/1,565 Open Registration (26.3%)
LibreChat (github.com/danny-avila/LibreChat) is an open-source ChatGPT-alternative chat interface — supports multiple LLM providers, plugins, multimodal, multi-tenant via shared deployments. 3,153 Shodan-indexed instance…
- Survey 2026-06-06 new
Cat-05: LiteLLM Gateway Survey — Open Proxies Exposing Commercial LLM API Keys
The hunt started with a single Shodan dork: http.title:"LiteLLM" port:4000. It returned 2,219 results in under a second.
- Survey 2026-06-06 new
LobeChat Population Survey — 10/12 Fully Open (83.3%, small population)
LobeChat (github.com/lobehub/lobe-chat) is an open-source ChatGPT-alternative chat interface from Lobehub, a China-origin OSS community. Direct functional parallel to LibreChat. 641 Shodan-indexed; 636 downloaded; only 1…
- Survey 2026-06-06 new
Open WebUI Population Survey — 39 Auth-Off, 564 Open Signup
18,389 Shodan-indexed instances of Open WebUI. One GET to /api/config returns a JSON object that tells you everything: whether auth is enforced, whether public registration is open, the operator's branding name, and the…
- Survey 2026-06-06 new
Cat-OW Calibration Deltas — 5 Named Findings Re-Verified
A spot-check verification pass on five named-institution findings in the Open WebUI population survey, applying the attribution hierarchy from Insight #79.
- Survey 2026-06-06 new
Arize Phoenix Population Survey — 41/55 Unauthenticated Project Disclosure
Arize Phoenix (github.com/Arize-ai/phoenix) is an open-source LLM observability and tracing platform — span ingestion, project organization, dataset versioning, prompt management for production AI applications. 94 Shodan…
- Survey 2026-06-06 new
RAGFlow Population Survey — 618/709 Open Registration (87.2%)
RAGFlow (github.com/infiniflow/ragflow) is an open-source RAG knowledge-base engine — document ingestion, vector retrieval, LLM-backed Q&A over enterprise knowledge bases. 1,915 Shodan-indexed instances on http.title:"RA…
- Engagement record Commercial 2026-06-06 new
LibreChat Verification Deep-Dive — Notable Findings Re-Profiled
Deeper verification on the six notable finding clusters surfaced in the LibreChat population survey. Restraint maintained throughout: no registration, no LLM invocation, no account creation. Methods used: /api/config, /a…
- Insight 2026-06-06 new
Insight #79 — The `name` field is aspirational free text; attribution needs a hierarchy
When a platform exposes an operator-set string in its public config (Open WebUI's name, Langfuse's appname, OneAPI's systemname, V2Board's appname), that string is aspirational free text. Taking it at face value for seve…
- Survey 2026-06-05 new
Cat-03 Model Serving & Inference — Survey 2026-06-05
Survey of 5,018 IPs across 17 Shodan and 9 Censys queries targeting Cat-03 (model serving and inference: llama.cpp, KoboldCpp, LM Studio, vLLM, SillyTavern, faster-whisper, One API, New API, Open WebUI, SGLang, GPT4All,…
- Insight 2026-06-05 new
Insight #78 — Shared deployment kits create operator-class exposure: one fingerprint, N unauth backends
When a deployment kit (a preconfigured stack template) circulates within an operator community, every operator who deploys it inherits the same misconfiguration. The fingerprint of the kit - version string, favicon hash,…
- Insight 2026-06-02 new
Insight #77 — Passive Shodan is an MCP crypto-sieve; the lifecycle handshake is the depth-gate
Two coupled facts govern any MCP population survey:
- Survey 2026-06-01 new
AI Gateways Population Survey: Cat-32 (2026-06-01)
An AI gateway sits in front of every upstream LLM provider an operator uses. It holds the OpenAI key, the Anthropic key, the Gemini key, the DeepSeek key. All in one process. That is the point of the product. It is also…
- Engagement record Commercial 2026-06-01 new
Unauthenticated ML Training Server — velutina-service.ch
JAXEN returned 185.66.109.62 under a passive Shodan query for exposed AI/ML infrastructure on Swiss hosting ranges. The Shodan record showed:
- Insight 2026-06-01 new
Insight #74 — AI gateway exposure is a master-key theft multiplier, not a single-key leak
An exposed AI gateway is categorically different from an exposed model server. A single unauth Ollama instance leaks one operator's inference surface. A single unauth AI gateway yields every upstream LLM provider API key…
- Insight 2026-06-01 new
Insight #75 — HTTP-only admin ports are a dead-end for cert-pivot; attribution requires secondary port pivot
Cert-pivot (VisorGraph / crt.sh) only works on HTTPS endpoints -- there is no TLS handshake to intercept and no certificate to extract from a plaintext HTTP port. AI gateway admin APIs run HTTP-only by design:
- Insight 2026-06-01 new
Insight #76 — The app is auth-on; the operator's debris is auth-off
In single-operator and small-team ML/AI deployments, the application's auth posture and the operator's filesystem hygiene are independent variables. The purpose-built service can be correctly authenticated end-to-end whi…
- Survey 2026-05-31
Argo Workflows Population Survey — Cat-29 (2026-05-31)
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Survey 2026-05-31
Data Labeling & Annotation: the registration knob that re-opens the door
Data-labeling platforms sit at the input boundary of every supervised-learning and RLHF pipeline. They hold the raw data being labeled: PII-dense text, scanned documents, medical and facial imagery, and the human-prefere…
- Survey 2026-05-31
RAG Framework Servers Population Survey — Cat-07 (2026-05-31)
First population survey of the RAG-framework-server category. 16 platforms in the 2026-05-27 pre-assessment intel (data/platform-intel/rag-frameworks-osint-2026-05-27.md); 15 dorks run this session. The category spans pr…
- Survey 2026-05-31
Service Mesh Control Planes: when exposure is the authentication failure
Every survey so far measured platforms that have an authentication layer and ship it on or off. Service-mesh introspection planes are a harder test for the auth-on-default thesis: most of them have no auth layer at all.…
- Engagement record Commercial 2026-05-31
Dark-Tier Probe Result (Option A) — 2026-05-31
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Engagement record Universities 2026-05-31
NCKU Edge Host: a Kubernetes Control Plane Behind a MikroTik Gateway
A single handed-over IP resolved into an NCKU lab's internet edge: a MikroTik RouterOS gateway DNAT-forwarding to an internal network, with eighteen services reachable through it. The headline exposure is not an AI servi…
- Insight 2026-05-31
Insight #69: A curated-port scan's negative is not a host-level negative; run a full-range population (Censys) as a standing complement
When aimap (our AI-intent-curated port scanner) reports "no AI/ML service," that is a true statement about the ports and fingerprints it checked, not a statement about the host. The two are easy to conflate, and conflati…
- Insight 2026-05-31
Insight #70: Censys is a dual primitive — full-range ports give identity, protocol decoders give auth-state; never conflate the label with the decoder
A Censys cross-reference returns two separable things, and treating them as one ships a wrong number. The first is identity: the full-range port sweep shows which services a host actually runs, including the data tier an…
- Insight 2026-05-31
Insight #71 — Network-placement-as-auth: when exposure IS the authentication failure
The auth-on-default thesis has, until now, measured platforms that have an authentication layer and ship it on or off by default (Phoenix ENABLEAUTH=False vs Langfuse no-toggle). Service-mesh introspection planes are a d…
- Insight 2026-05-31
Insight #72 — Ships-auth-but-default-open-registration: the knob that re-opens a closed door
There is a failure class between "auth off by default" (#13) and "no auth layer at all" (#71): a platform that ships real authentication and a real authorization layer, both on by default, and then ships a self-registrat…
- Insight 2026-05-31
Insight #73 — Header-versioned APIs are invisible to header-less fingerprinters
A fingerprinter that does not send the platform's content-negotiation header will get zero results from a platform that uses header-based API versioning, even when the platform is present, exposed, and unauthenticated at…
- Survey 2026-05-30
Specialty Data Layers survey, 2026-05-30
Three of five sampled Spark History Servers exposed their job inventories with no authentication, and two of them are machine-learning pipelines. The job names are the finding. They map the feature-engineering, training,…
- Survey 2026-05-29
Auth / Identity / Gateway survey, 2026-05-29
Open Policy Agent ships with no authentication, and five of six sampled hosts returned their full Rego policy list with no credentials. The policy names are the finding. They map the operator's authorization model and th…
- Survey 2026-05-29
Experiment Tracking, registry and RCE half, 2026-05-29
MLflow ships with no authentication, and the population shows it: eight of eight sampled servers returned the full experiment list with no credentials. One held 379 experiments and leaked a Google Cloud Storage bucket na…
- Survey 2026-05-29
ML Governance / Data Catalog survey, 2026-05-29
Nine dorks. Six platforms. The category is well-secured at population scale, and that is the finding. The auth-on platforms run patched versions. The auth-off platforms are either Shodan-dark or empty demos. One unauthen…
- Survey 2026-05-29
Model Serving, management-plane and registry, 2026-05-29
The model-serving category is Shodan-dark. vLLM, Triton, TGI, and TorchServe all serve JSON APIs, and their identifying strings live in JSON bodies, not in the HTML Shodan crawls. The dominant self-hosted LLM inference s…
- Survey 2026-05-29
RAG framework stragglers, 2026-05-29
AnythingLLM ships single-user mode with no password, and two of five sampled hosts had the web UI open to any browser visitor. The verification narrowed the finding: the open UI is browser-reachable, but the developer RE…
- Survey 2026-05-29
LLM Safety / Guardrail survey, 2026-05-29
Five dorks. One confirmed unauthenticated guardrail server, and the guardrail was the least exposed thing on the box. The same host left MongoDB, Redis, MySQL, PostgreSQL, and a Docker registry open with no authenticatio…
- Engagement record Commercial 2026-05-29
Voice/Audio AI re-run: Category 17, 2026-05-29
Fifteen dorks. Twenty-eight candidates. Six confirmed unauthenticated voice services across five hosts. One four-service stacked host. Four false positives killed at the verification stage, including a would-be remote-co…
- Engagement record Commercial 2026-05-29
Zep CE: empty default api_secret accepts a zero-entropy credential
Code-level finding from the agent-memory pre-assessment (data/platform-intel/agent-memory-osint-2026-05-29.md). Labeled per case-studies/FINDING-TEMPLATE.md. This is a platform finding, not a host case study: no live tar…
- Insight 2026-05-29
Insight #67: Voice/audio AI API servers are Shodan-dark behind JSON-only roots; only the demo UI indexes
For the entire voice/audio AI category, the highest-severity surfaces are the ones Shodan cannot see. The OpenAI-compatible TTS/ASR API servers (GPT-SoVITS, Orpheus, Kokoro's API path, Deepgram on-prem, WhisperLive) retu…
- Insight 2026-05-29
Insight #68: The verification-rung grid. Label every claim by a depth-and-breadth pair, and never use language above the rung its evidence reached
Every finding carries a verification status expressed as a pair: an inner rung (depth, code vs live) and an outer rung (breadth, host vs population). The two axes are logically orthogonal, so they must not be collapsed i…
- Survey 2026-05-28
AI Evaluation and Red-Team Platform Survey — Promptfoo Population Pass
Promptfoo is the only AI eval/red-team platform in the 13-platform scope that produced confirmed unauthenticated exposure at scale. Four instances returned {"email":null} on GET /api/user/email with eval datasets and pro…
- Survey 2026-05-28
Auth and API Gateway Platforms: Population Survey
Shodan harvest of 13 auth and API gateway platforms returned confirmed populations across six categories. SuperTokens (port 3567) is the largest exposed surface at 455 confirmed internet-facing instances with no API key…
- Survey 2026-05-28
Unauthenticated FinOps Cost APIs Hand Attackers a Free Cluster Recon Map
Sixty-seven Kubernetes cost-tooling endpoints (Kubecost 50, OpenCost 14, vendor-undetermined 3) answer their cost-model API with no authentication. Fifty-nine return full per-namespace cluster topology and summed daily s…
- Survey 2026-05-28
Model Serving and Registry Infrastructure Survey
Shodan sweep across 11 model-serving and registry platforms. MLflow is the only platform with a live, indexable population -- 10 confirmed unauthenticated instances spanning 6 cloud providers and 6 countries. Every other…
- Survey 2026-05-28
RAG Stragglers: LightRAG, RAGFlow, DocsGPT, Ragapp Population Survey
Four RAG platforms were left unfinished from prior survey runs: LightRAG, RAGFlow, DocsGPT, and Ragapp. This pass closes them out with a full Shodan harvest, verification, and arsenal run.
- Survey 2026-05-28
LLM Guard survey: guardrail platforms Shodan-dark except /metrics side-channel
Two LLM Guard v0.0.10 instances confirmed from an 11-platform Shodan sweep. Both have auth configured on scan endpoints (/analyze/prompt, /analyze/output, /scan/output). Both expose /metrics without auth. The metrics end…
- Survey 2026-05-28
Cat-30: Specialty Data Layers — Population Survey
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Survey 2026-05-28
Voice/Audio AI Infrastructure Survey
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Engagement record Commercial 2026-05-28
Apptica — Production Data Lake Exposed via Unauthenticated ClickHouse
Apptica is a commercial app store intelligence platform offering revenue estimates, download data, keyword rankings, and advertising intelligence for mobile apps across iOS and Android. Their product — described as "Ad I…
- Engagement record Commercial 2026-05-28
DataV / Skillmine Technology — Multi-Party Data Breach via Unauthenticated ClickHouse
DataV is a no-code AI analytics and data visualization platform built and operated by Skillmine Technology Consulting Private Limited (Mumbai). The platform allows customers to upload CSV and Excel files, connect SQL dat…
- Engagement record Commercial 2026-05-28
Sanio AI — Collision AgentOS / Walmart Pipeline Exposure
Surface identified in session 43 (cat-06 stragglers survey) via Shodan dork port:7777 http.html:"agno". Prior session confirmed the host as unauth Agno on port 7777 with road collision data in scope. This session ran fiv…
- Engagement record Commercial 2026-05-28
Snap-E Cabs — ScyllaDB Default Credentials + Unauthenticated REST API
Snap-E Cabs, a BSE-listed Indian EV ride-hailing operator (600+ vehicles, Kolkata), runs a ScyllaDB cluster on GCP with the CQL port accepting default cassandra/cassandra credentials and the admin REST API exposed with z…
- Survey 2026-05-27
Argo Workflows: K8s-Native Workflow Orchestration Survey
Shodan survey of the global Argo Workflows population via TLS certificate fingerprint. 67 confirmed instances (initial survey, ssl:"ArgoProj" dork) plus 17 Argo-confirmed instances from a second non-overlapping populatio…
- Survey 2026-05-27
ML Governance / Data Catalog Survey — OpenMetadata + DataHub
56 confirmed governance platforms, 56 auth-enforced. Zero auth-off. All OpenMetadata instances run v1.3.1+, past the CVE-2024-28255 patch boundary. Version disclosure MEDIUM on 31 OpenMetadata hosts.
- Engagement record Commercial 2026-05-27
Argo Workflows — Pre-Assessment OSINT Brief (2026-05-27)
Intelligence gathered before the population scan to fine-tune dork selection, fingerprint design, verification methodology, and scope. Not a survey — a survey prep document. The scan chain runs after this.
- Insight 2026-05-27
Insight #65: TLS-Cert-Anchored Discovery Selects for Auth-Enforced Deployments
Passive Shodan discovery anchored on a TLS certificate organizational field (e.g. ssl:"ArgoProj") has inherent selection bias: it finds managed, production-grade deployments that are more likely to have authentication en…
- Insight 2026-05-27
Insight #66: Fingerprint DefaultPorts Must Be Survey-Driven, Not Doc-Driven
aimap's fingerprint matcher filters candidates by DefaultPorts. A fingerprint listing only the vendor-documented default port will be silently skipped on every host running the service on a different port — producing a c…
- Survey 2026-05-26
OpenHands Autonomous Agent: 52 Unauth Deployments, WhatsApp Bot Builder Pattern
191 OpenHands instances in Shodan. We scanned 56. 52 returned /api/v1/settings without authentication. On 26 of those 52 hosts, Evolution API (WhatsApp automation gateway) runs on port 3000 alongside OpenHands on port 30…
- Engagement record Commercial 2026-05-26
Cat-06 Stragglers: Agno Auth-Off-Default, GPT Researcher 14 Unauth, Walmart Temporal Exposure
Agno ships with no authentication. The playground server (uvicorn, port 7777) returns full agent manifests and run histories to any caller. Three confirmed Agno deployments expose AI agents with live database, email, cal…
- Engagement record Commercial 2026-05-26
BackGround Studio CRM — Credential Leak, DatingUser Records in Redis
The Redis password was in the GUI. It worked. One key. 99 users in a dating platform sorted set.
- Engagement record Commercial 2026-05-26
CampusIRIS Dev Environment — Credential Leak via RedisInsight, Student Data Schema Exposed
RedisInsight left the Redis password in plain sight. The password worked. Behind it: 115 keys of a multi-tenant school SaaS, student attendance records, 24k session IDs, and tenant database connection strings.
- Engagement record Commercial 2026-05-26
CMS Production Redis — RedisInsight Credential Leak, Chain B
RedisInsight 2.36.0 at port 8001 requires no authentication. GET /api/databases returns the Redis AUTH password in plaintext. AUTH confirms on port 6379. Keyspace: 154 keys. Apollo GraphQL dev-api: full introspection unauth, getCustomUsersCsv executed without credential and returned a live GCS signed URL, 8,650 artist records returned unauth, sendPushNotificationsToUsers schema maps platform-wide push. APAC node 34.87.179.212 firewalled on all ports.
- Engagement record Commercial 2026-05-26
CPAC Strapi CMS — Production API Surface Enumeration
Second node in the CPAC chain. The primary finding is in cpacredis-redisinsight-chain-b-178.128.84.65-2026-05-26.md. The Redis credential prefix cpacredis pivoted to cpac.co.th, which resolved to a Strapi CMS instance se…
- Engagement record Commercial 2026-05-26
cpacredis — RedisInsight Credential Leak on Fleet Telematics Platform
RedisInsight at :8001 requires no authentication. The stored Redis password cpacredis0242 appears in plaintext in the /api/databases response. Behind that credential: a Thai Ready Mix concrete fleet telematics platform,…
- Engagement record Commercial 2026-05-26
difinance.online — RedisInsight Credential Leak on Telegram DeFi Bot
RedisInsight on port 8001 required no authentication. GET /api/databases returned the full Redis connection object, including the password Sq3QmHxJCPn5Dt4LzAaNRg in plaintext. The credential gave direct AUTH access to Re…
- Engagement record Commercial 2026-05-26
EPOLCA — RedisInsight Credential Leak on Industrial Simulation Demo Server
RedisInsight exposed the Redis password for an ePolca production planning demo server on Hetzner DE; AUTH succeeded and revealed six keys covering factory simulation results, KPI states, and production orders — all scoped to the EPOLCA_DEMOS namespace.
- Engagement record Commercial 2026-05-26
Evolution API WhatsApp Broker — RedisInsight Open, 117 Keys Including WhatsApp Session State and Lead Phone Numbers
Brazilian WhatsApp automation SaaS bmaconnect.com.br runs RedisInsight 2.42.0 with no authentication on port 8001, exposing full read/write access to Redis 7.4.7 (n8n-redis-1). 117 keys confirmed: 7 Evolution API WhatsApp session hashes (208KB to 1.16MB), 108 Brazilian phone number conversation queues across 5 named operator clients, and an n8n scheduling key with unresolved lead-number expression. Evolution API 2.3.7 on port 8080 enforces auth on instance management. n8n 1.122.5 (development mode) proxied via ia.bmaconnect.com.br. Second server at 179.190.63.39 for api./zion-teste. subdomains. 90 unique Brazilian phone numbers exposed in key names.
- Engagement record Commercial 2026-05-26
Cat-04 Stragglers: Prefect Auth-Off-Default, Dask University Clusters, ClearML Ransomed ES
Prefect workflow orchestration is auth-off-default. /api/admin/settings is world-readable on all instances. /api/flows/filter and /api/deployments/filter return complete workflow inventories without credentials. Nine of…
- Engagement record Commercial 2026-05-26
ORES CRM (CloudWorks/ows.vn) — Redis Stack Open, 17,337 Chatbot Conversation Records, Multi-Channel Social PII
ORES, a Vietnamese AI-chatbot CRM SaaS built by CloudWorks (ows.vn), runs Redis Stack at 125.212.227.37 without authentication. Two RediSearch indexes expose 34 channel accounts and 17,337 conversation records. Key names confirm multi-channel routing across Zalo, Facebook Page, Zalo OA, and Pancake. The account:index schema stores a token field: OAuth credentials for each connected social channel. The host is the backend for my.ores.vn, proxied through ssl-proxy2.ows.vn at the adjacent IP 125.212.227.40. ASN: AS7552 Viettel Group, Vietnam.
- Insight 2026-05-26
RedisInsight /api/databases Returns Redis Passwords in Plaintext
RedisInsight stores Redis connection configurations in a local database. The REST API at /api/databases (port 8001) returns those configurations with the password field in plaintext. No authentication on the GET request.…
- Insight 2026-05-26
Insight #62: AI Agent + Service Co-location Creates Compound Attack Surface
26 of 52 unauth OpenHands hosts also run Evolution API (WhatsApp automation) on port 3000. The port split is consistent across providers and countries: Evolution API on :3000, OpenHands on :3001. This is a shared Docker…
- Insight 2026-05-26
Insight #63: Install Experience Predicts Auth Posture
Workflow orchestrators with single-binary local-first design default to no authentication. MLOps platforms with managed-cloud heritage default to authentication on. The install experience predicts the auth posture.
- Insight 2026-05-26
Insight #64: AI Agent Manifests Are Pre-Run Disclosure
The /agents endpoint on an unauth Agno (or similar framework) deployment is a finding in itself — before any run is invoked. The agent description tells you what data sources the system can reach. Invoking a run is not r…
- Survey 2026-05-25
LangGraph's Deployment Gap: Exposed AI Agent Infrastructure at Scale
LangGraph's self-hosted deployment path ships with no authentication. We found sixteen internet-facing deployments. All sixteen were open. A financial AI system processing credit reports in Shanghai. A two-node PII scraper running in Paris with no auth by design.
- Survey 2026-05-25
LangGraph Server Population Survey (2026-05-25)
Population-scale survey of LangGraph Server deployments. LangGraph is LangChain's stateful multi-agent execution runtime. The canonical server ships on FastAPI/uvicorn (port 8000) with no authentication by default. Commu…
- Survey 2026-05-25
Redis Stack / RedisInsight Population Survey (2026-05-25)
Population-scale survey of Redis Stack (Redis with RediSearch vector search module) and RedisInsight (browser-based Redis management GUI) deployments.
- Engagement record Commercial 2026-05-25
Airbnb Tenant Agent — CORS Wildcard and Open Booking Thread State
A LangGraph-backed Airbnb booking agent on Hetzner Nuremberg exposes thread creation, thread state reads, and agent execution with no authentication. CORS wildcard headers mean any browser origin can invoke the agent. WhatsApp guest communications are the data class at risk.
- Engagement record Commercial 2026-05-25
Airbnb Tenant Agent — CORS Wildcard and No Auth on a Live WhatsApp Booking Bot
An Airbnb property manager's WhatsApp booking bot runs on LangGraph with no authentication and a wildcard CORS policy. Thread state from real guest conversations is readable without credentials. The agent is named 'Airbnb Tenant Agent' and is active.
- Engagement record Commercial 2026-05-25
Airbnb Tenant Agent — CORS Wildcard on a WhatsApp Booking Assistant
An Airbnb property host's WhatsApp booking assistant runs LangGraph with CORS Access-Control-Allow-Origin: * and no authentication on any endpoint. Any webpage can create threads and read guest booking conversations. The WhatsApp webhook service runs on the same host.
- Engagement record Commercial 2026-05-25
ArtsyPetz CrewAI Stack: Langfuse LLM Observability Open Registration, Multi-Service Stack Exposed
A multi-service AI stack at 147.182.219.125 exposes Langfuse 3.88.1 LLM observability with open self-registration. ClickHouse 25.7.1.3997, GlitchTip, and MinIO run on the same host with auth enforced. A CrewAI social content generation service is present on ports 8001 and 9002. The operator is an indie developer running ArtsyPetz (pet portrait e-commerce) alongside a social media growth tool in development.
- Engagement record Commercial 2026-05-25
Assistent Tècnic Intel·ligent (ATI) — Vite Dev Server in Production, 211-Tenant Platform
A Catalan multi-tenant AI customer support platform runs a Vite development server in production on one of three Hetzner nodes, exposing full TypeScript source code. All three nodes share unauthenticated LangGraph agent endpoints and Qdrant databases holding 121 customer conversations and 377 tenant knowledge-base documents.
- Engagement record Commercial 2026-05-25
Collector Scraper API — AI-Powered PII Extraction Service, Unauthenticated
Two Scaleway nodes in Paris run an unauthenticated API built to extract emails, phone numbers, and coordinates from business directory listings. No authentication on the extraction endpoint.
- Engagement record Commercial 2026-05-25
CrewAI SOP RAG Agent: Multi-Agent Standard Operating Procedure System Open Without Authentication
A multi-agent CrewAI system on Azure exposes its full API without authentication. All nine endpoints are open. POST /upload allows unauthenticated file ingestion into the SOP database. POST /query runs the full agent pipeline against stored documents. The agent roster and workflow configuration are enumerable without credentials.
- Engagement record Commercial 2026-05-25
Demant Semantic Kernel Agent Platform: Five Production Agents Open Without Authentication
A Microsoft Semantic Kernel agent hosting platform at 172.205.127.109 exposes five production agents without authentication. Agent names, system prompts, and plugin bindings name Demant, a Danish hearing technology company. POST /agents/execute runs any agent against the knowledge base without credentials. POST /agents/create and DELETE /agents/{id} are open.
- Engagement record Commercial 2026-05-25
Docu Companion / ATI — Vite Dev Server and 211 Tenant Knowledge Bases Open on a Three-Node Hetzner Cluster
A Catalan-language multi-tenant AI customer support platform runs a Vite development server in production on one node, exposing full TypeScript source. All three Hetzner nodes share an unauthenticated Qdrant stack holding 211 tenant knowledge bases, 377 business documents, and 121 user conversations. Agent invocation endpoints are fully open.
- Engagement record Commercial 2026-05-25
Assistent Tècnic Intel·ligent — Vite Dev Server in Production Exposes Source Code Across a 211-Tenant Platform
A Catalan AI document platform running across three Hetzner nodes exposes its full TypeScript source code via a Vite development server left running in production. All agent endpoints, 121 user conversations, and 211 tenant knowledge bases are accessible without authentication.
- Engagement record Commercial 2026-05-25
CloudCentric / BizCentric — ERPNext/Frappe Multi-Tenant Redis Cache: LDAP Settings Keys Exposed, 27 Tenants
CloudCentric runs a shared Redis Stack instance at 212.47.228.104 (Scaleway, Paris) as the document cache for a multi-tenant ERPNext/Frappe deployment. No authentication. DBSIZE 2,716. Two LDAP Settings document cache keys are present with TTL -1 (persistent). The LDAP Settings doctype in Frappe stores the bind DN, bind password, and LDAP server URL. Key names are readable without auth. Values were not read per restraint ethic. 27 tenant subdomains identified from Redis job queue keys.
- Engagement record Commercial 2026-05-25
FAIS MCP Server: Dual-Node Workflow Tool API Open Without Authentication
Two identical FAIS MCP Server instances on Azure Pune expose their full tool API without authentication. Three workflow tools are open on both nodes: GetAllWorkflows, GetWorkflowConfiguration, and GetWorkflowLogsByTransaction. Any caller can enumerate organizations, retrieve workflow configurations, and query execution logs by workflow and transaction ID.
- Engagement record Commercial 2026-05-25
Chinese Financial LangGraph Agent — Credit Reports, Loans, and an Open Session Store
A Chinese financial services multi-agent system on LangGraph runs credit report and loan extraction workflows in development mode with no authentication. The agent session store is accessible via Redis Commander on port 8081.
- Engagement record Commercial 2026-05-25
MikroWizard — Unauthenticated Redis Session Store, 2,940 Active MikroTik Router Management Sessions
MikroWizard router management platform at 88.99.102.30 (Hetzner Frankfurt) runs Redis 7.4.7 on port 6379 with no authentication. DBSIZE: 2,940 keys, all named mikrowizard::UUID. Session TTL: 29 days. Any actor with network access can read all active session identifiers directly from the data layer. The application layer at port 80 serves the MikroWizard Angular UI.
- Engagement record Commercial 2026-05-25
n8n 1.120.0: Legacy REST API Open, Production Billing Backup Workflow Exposed
n8n 1.120.0 on port 5678 at 38.102.86.8 exposes its legacy /rest/ API without authentication. A single active production workflow — billing-backup-to-s3 — is enumerable, including node type and tags. The newer /api/v1/ path enforces auth; the /rest/ path does not.
- Engagement record Commercial 2026-05-25
NextHello CrewAI CRM: 59-Endpoint Operational API Open Without Authentication, Live API Keys
A CrewAI-based WhatsApp CRM platform at 132.145.158.151 exposes 59 endpoints without authentication. All operational POST endpoints accept requests without credentials. People Data Labs, HeyGen, and ElevenLabs API keys are live. A WhatsApp bridge with persisted session credentials is disconnected; reconnect enables message delivery to any phone number. The admin data layer is gated.
- Engagement record Commercial 2026-05-25
SerGoGram Flowise + Weaviate: IT Credentials from German Blood Donation Organization in Open Vector Store
A Flowise instance at 37.60.255.27 exposes an unauthenticated Weaviate vector store containing internal IT documentation from a German blood donation organization. The corpus includes plaintext server credentials, internal IP addresses, server names, BitLocker PINs, and blood donation operational data. A second tenant's customer support documents occupy the same instance.
- Engagement record Commercial 2026-05-25
Simón Movilidad / Finanzauto — Full Picture: Traccar 6.12.2, 28,323 Open GPS Records, CAS Default Config
Simón Movilidad runs Traccar 6.12.2 (GPS fleet tracking) with Redis Stack as the live device state store. The Redis instance at qa.simonmovilidad.com is open without auth: 28,323 GPS device records, keyed by IMEI, each containing plate, name, phone, email. Tenant: Finanzauto S.A. BIC (Colombian vehicle financing). Finanzauto's admision subdomain runs Apereo CAS SSO with the default-config HTML comment in production.
- Engagement record Commercial 2026-05-25
Stock.ai (EMOR AI) — Partial-Auth Failure, Open Vector Store, and Third-Party Research Leak
An Indian fintech startup's LangGraph stock analysis app authenticates the list layer but leaves individual resource endpoints wide open. 62 proprietary Arihant Capital analyst reports are accessible without auth through a co-deployed Weaviate instance.
- Engagement record Commercial 2026-05-25
Stock.ai (EMOR AI) — Partial-Auth Failure, Open Weaviate, and 62 Proprietary Analyst Reports
EMOR AI's unreleased Stock.ai product exposes a Weaviate vector database, individual API resource endpoints, and 62+ proprietary Arihant Capital equity analyst reports. The developer implemented JWT and Google OAuth but left individual resource endpoints unprotected. A reused HR/resume Azure OpenAI subscription confirms operator identity.
- Engagement record Commercial 2026-05-25
Stock.ai — Partial-Auth Failure Exposes 62 Arihant Capital Reports and User Data
An Indian fintech startup's stock research assistant exposes 62 proprietary Arihant Capital analyst reports and user conversation history. The developer built JWT authentication and left the individual resource endpoints unprotected.
- Engagement record Commercial 2026-05-25
Vantage Coach — Healthcare CRM Agent With Voice Endpoints, No Auth
A pharmaceutical sales rep AI assistant runs LangGraph on two DigitalOcean nodes with no authentication. The agent has declared access to a healthcare client database. Voice endpoints accept unauthenticated audio and return agent-processed responses. Client records including doctor names, specializations, visit history, and treatment discussion notes are accessible to any caller with a valid organization ID.
- Engagement record Commercial 2026-05-25
Vantage Coach — Pharmaceutical CRM with Healthcare Client Records and Voice Endpoints Open
A pharmaceutical sales representative AI tool on two DigitalOcean nodes exposes a healthcare client database, conversation history, and voice endpoints without authentication. The OpenAPI spec explicitly describes access to doctor names, hospitals, visit dates, and medication discussion records.
- Engagement record Commercial 2026-05-25
Vantage Coach — Pharma CRM Agent, Open Voice Endpoints, Healthcare Client Records
A Spanish-language pharmaceutical CRM AI agent runs on two DigitalOcean nodes with no authentication. The agent has tool access to a healthcare client database. Voice endpoints accept audio queries against that database without credentials.
- Engagement record Commercial 2026-05-25
wuji Sleep Doctor — WeChat Health Data and 9,244 Request Logs Exposed on Tencent Cloud
A Chinese sleep health application on Tencent Cloud exposes per-user sleep sensor data by WeChat openid and serves 9,244 logged API requests without authentication. The service runs as root with log file paths disclosed.
- Engagement record Commercial 2026-05-25
Chinese Sleep Doctor App — WeChat Health Data Open by Design, 9,244 Request Logs Exposed
A Chinese WeChat Mini Program backend for sleep health diagnostics runs on TencentCloud Beijing with no authentication. Sleep sensor data is accessible by WeChat openid. 9,244 request logs containing user identifiers, health responses, and client IPs are readable without credentials.
- Engagement record Commercial 2026-05-25
wuji Sleep Doctor — Chinese Health Data by WeChat OpenID, 9,244 Request Logs Open
A Chinese sleep health WeChat Mini Program backend runs a LangGraph Sleep Doctor service with no authentication on any endpoint. Sleep sensor data (AHI, heart rate, HRV, sleep stages) is accessible by WeChat openid alone. A 36.9MB request log containing 9,244 entries — including user identifiers, request bodies, response bodies, and client IPs — is served at /api/monitor/logs without auth. The service runs as root.
- Disclosure MEDIUM pending 2026-05-25
Artsypetz Langfuse Open Signup 2026 05 25
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL pending 2026-05-25
Blutspende Sergogram Flowise Weaviate Credentials Exposed 2026 05 25
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH pending 2026-05-25
Nexthello Crewai Whatsapp Unauth 2026 05 25
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL pending 2026-05-25
Sergogram Flowise Weaviate Operator 2026 05 25
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Insight 2026-05-25
Insight #56: LangGraph self-identifying JSON root as primary fingerprint
Every LangGraph Server deployment returns a custom JSON object at the root path (GET /). The message field always contains the string "LangGraph" (case-insensitive, in the message, servicetype, engine, or service key). T…
- Insight 2026-05-25
Insight #57: Partial-auth failure: auth on collection endpoints, none on individual resource endpoints
A developer implements authentication on collection/list endpoints and leaves individual resource endpoints open. The Swagger UI shows padlock icons on list endpoints. The individual resource endpoints carry no security…
- Insight 2026-05-25
Insight #58: Vite dev server left running in production exposes full TypeScript source
A Vite development server left running alongside a production API exposes every TypeScript source file on request. Vite's dev server does not build or bundle — it serves raw source modules directly from disk. Any file un…
- Insight 2026-05-25
Insight #59 — n8n Ungated Legacy REST Surface
n8n exposes two API surfaces on port 5678:
- Insight 2026-05-25
Redis Stack FT._LIST as Vector-Tier Enumeration Primitive
Redis Stack does not change the auth posture of Redis. Auth-on-default is off for Redis Stack exactly as it is for plain Redis. "Redis Stack" in the Shodan banner is not evidence that authentication is configured.
- Survey 2026-05-22
Agenta LLMOps — Population Survey
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Engagement record Commercial 2026-05-22
ClimateGPT Stack — Unauth vLLM + Opik + Streamlit
Surfaced during Session 30 Agenta survey (S30). The /opik/api/v1/projects endpoint returned HTTP 200 unauthenticated — a candidate, per Insight #16. The candidate was passed to this assessment for data-layer verification…
- Engagement record Commercial 2026-05-22
Langfuse Postgres Cert Pivot — Data Tier Survey + CygnusAlpha Production Finding
The survey started as an Insight #20 exercise: data-tier ports adjacent to confirmed AI services are an independent exposure class. The dork ssl.cert.subject.cn:langfuse port:5432 was surfaced during the Agenta survey (S…
- Engagement record Commercial 2026-05-22
116.202.28.181 — Pantaflow Live Transcription Server
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Engagement record Commercial 2026-05-22
PromptLayer — Marker-Build Assessment
PromptLayer was queued for its first population survey: http.title:"PromptLayer" (6 hits) and ssl.cert.subject.cn:promptlayer (10 hits). The discovery stage could not run — both Shodan API keys on rooster return 401 Unau…
- Engagement record K-12 2026-05-22
117.50.80.181 — TCI Kindergarten ASR / Speech-Assessment Platform
117.50.80.181:8001 runs the "TCI ASR Service" v3.0.0, a Chinese kindergarten classroom speech-assessment platform. The processing tier has no authentication. An unauthenticated internet caller can submit audio to the pla…
- Insight 2026-05-22
Insight #55: Auth-gated API + Open Signup = Uncontrolled Account Creation
A platform can enforce authentication on every API endpoint and still be open to anyone. These two conditions coexist when:
- Engagement record Commercial 2026-05-21
Embedding Services Survey — Tier-2 Cloud (2026-05-21)
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Engagement record Universities 2026-05-21
NIS/YP Internet Exposure — hpc.psy.ntu.edu.tw
NTU's Psychology HPC node ran NIS (YP) — a 1980s LAN credential distribution protocol — fully exposed to the internet at time of observation. yppasswdd, ypserv, and fypxfrd were all registered in the portmapper table and…
- Engagement record Universities 2026-05-21
sakura.mit.edu — MIT Research Compute Node
34 exposed ports. Services running concurrently on this single host:
- Insight 2026-05-21
OVMS Backend Co-location: FastAPI Wrapper + OpenVINO Model Server Both Exposed
Custom FastAPI embedding services often sit in front of an Intel OpenVINO Model Server (OVMS) backend on a co-located port. When the FastAPI wrapper is exposed without auth, the OVMS backend is also exposed without auth…
- Insight 2026-05-21
Insight #51: A port number names a candidate, not a finding
A perimeter scanner that derives finding severity from a port number produces confident, reproducible, wrong CRITICALs. The port number names a candidate ("something here might be Redis"). It is not a finding. Severity i…
- Insight 2026-05-21
Insight #52: An HTTP 200 at an API path is not that API
A scanner that confirms an API by requesting its path and accepting the HTTP 200 produces confident, reproducible, wrong CRITICALs. A web server answers 200 for paths it does not implement. The 200 proves the request was…
- Insight 2026-05-21
Insight #53: A hostname label is not a cloud project identifier
A scanner that derives a cloud resource name from a target's hostname label, probes that name in a global namespace, and reports the hit as the target's exposure produces confident, reproducible, misattributed findings.…
- Insight 2026-05-21
Insight #54: Metabase setup-token: a self-authorizing credential class
Six Metabase instances on OVH/Scaleway with live setup tokens. The token is exposed at unauthenticated GET /api/session/properties as the setup-token field. With that token, POST to /api/setup registers the caller as the…
- Overview 2026-05-20
University AI Infrastructure Exposure: Global Overview
Full sweep of all 10,224 recognized universities worldwide (Hipo dataset, 202 countries). Two lanes ran:
- Engagement record Other 2026-05-20
University AI Infrastructure Exposures
Unauthenticated Ollama, Open WebUI, JupyterHub, and LiteLLM instances discovered on university networks worldwide. Organized by country / state.
- Engagement record Universities 2026-05-20
University AI Infrastructure Exposure: Global Overview
Full sweep of all 10,224 recognized universities worldwide (Hipo dataset, 202 countries). Two lanes ran:
- Survey 2026-05-19
AI Cost / Billing / Usage Analytics population survey: Langfuse secret-key exposures + Dokploy frontend-secret leak class
The AI cost / billing / usage analytics tier sits at the intersection of LLM operations and finance: it tracks per-tenant token usage, attaches dollar amounts to model calls, and surfaces usage to operators and customers…
- Survey 2026-05-19
Service mesh + workflow-orchestration population surveys: Envoy admin config-dump + Prefect admin/settings + ML pipeline-engine exposures
Two surveys ran in parallel against unsurveyed FUTURE-SURVEYS roadmap categories:
- Survey 2026-05-19
LLM Safety / Guardrail / Policy Engine population survey
The auth-on-default thesis predicts that products which ship without authentication will appear at population scale with the unauth posture intact. The LLM safety / guardrail / policy layer is the inversion test: does th…
- Engagement record Commercial 2026-05-19
Chinese commercial Claude-reseller ecosystem: 32 pooled Anthropic accounts across six relays, ~13.92B tokens served via claude-relay-service OSS
A pivot off the LiteLLM UNAUTHFUNCTIONAL cohort from the same-day safety/guardrail survey surfaced an upstream apibase at 43.167.216.195:38762 (Tencent Cloud Singapore / Aceville Pte Ltd). That upstream returned a JSON s…
- Engagement record Commercial 2026-05-19
LLM Orchestration Re-Run — 2026-05-19
Per the standing methodology — the manual → productize → re-run loop. The first run was 2026-05-15. Since then:
- Engagement record Commercial 2026-05-19
sub2api — Population survey: 7,720 indexed hosts, auth-on-default at scale, zero pool-leak
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Engagement record Universities 2026-05-19
.edu LLM infrastructure dork-map — 1,584 verified-dork × hostname:.edu sweep (2026-05-19)
The repo's 1,629-dork verified Shodan catalog (29 categories, hand-curated and FP-tested across 50+ prior commercial surveys) was scoped to hostname:.edu and run through shodan count (free per query, no scan credit). Aft…
- Engagement record Universities 2026-05-19
University of Arizona: Branded "U of A GenAI" — Open WebUI v0.7.2 with University-OIDC + Auth-On
The University of Arizona operates a branded institutional Open WebUI service at genai.arizona.edu (128.196.254.101). The deployment is reachable on port 80 (reverse-proxied; Open WebUI's typical :3000 not directly expos…
- Engagement record Universities 2026-05-19
San Diego Supercomputer Center: Public Ollama on `compute.cloud.sdsc.edu` — 53-Model Inventory + `:cloud`-suffix Cloud-Proxy Class
The San Diego Supercomputer Center (SDSC) operates a publicly-reachable Ollama 0.20.4 instance at 132-249-238-182.compute.cloud.sdsc.edu (132.249.238.182). /api/tags returns 53 models. The first entry in the model list i…
- Engagement record Universities 2026-05-19
Stanford University: Streamlit app on `sr24-0915fd81a9.stanford.edu:8501` (DHCP / dynamic host; framework confirmed)
Stanford University surfaces a Streamlit application at sr24-0915fd81a9.stanford.edu (128.12.168.8:8501). Hostname pattern (sr24-{hex-id}.stanford.edu) suggests a dynamically-assigned campus subnet host — likely a person…
- Engagement record Universities 2026-05-19
UCLA: Multi-Service AI Stack on `ai.idre.ucla.edu` — Open WebUI Signup-Open + LDAP + LiteLLM Dual-Exposed
UCLA's Institute for Digital Research and Education (IDRE) runs a multi-service LLM stack at ai.idre.ucla.edu (128.97.60.220, Los Angeles). Three distinct services on three ports: Open WebUI v0.9.1 on :3000 with enablesi…
- Engagement record Universities 2026-05-19
Red Rocks Community College: Open WebUI v0.9.2 on `datalab02.rrcc.edu` — Auth-On + LDAP (First Community College in Survey)
Red Rocks Community College runs an Open WebUI instance at datalab02.rrcc.edu (164.47.99.16:8080). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDA…
- Engagement record Universities 2026-05-19
University of South Florida: Marine Lab JupyterHubs (auth-enforced) + Adjacent Prometheus `/metrics` Public
USF College of Marine Science operates two JupyterHub instances on the marine.usf.edu subdomain: ocgmod1.marine.usf.edu (131.247.139.171:8000) and manglillo.marine.usf.edu (131.247.136.183:8000). Both correctly enforce a…
- Engagement record Universities 2026-05-19
Georgia State University: Streamlit app on `gluon.gsu.edu:8501` (framework confirmed; app content WebSocket-only)
Georgia State University runs a Streamlit application at gluon.gsu.edu (131.96.55.92:8501). The Streamlit framework is confirmed via /stcore/health returning ok. The application title is the Streamlit default (<title>Str…
- Engagement record Universities 2026-05-19
DePaul University: Campus-Wide Port-3000 Population — Live Open WebUI Auth-On, DHCP-Rotated Hosts, Mixed Student Dev Work
DePaul's institutional network surfaces 20+ hosts with port 3000 open when scoped via Shodan org:"DePaul University". Only 4 of these have HTTP title "Open WebUI"; the rest are student dev servers (React apps, project po…
- Engagement record Universities 2026-05-19
University of Chicago: Two-Host Observation — Streamlit on `helabserver0` (auth-on framework) + JupyterHub on `jupyterhub-dev.grid` (502 Bad Gateway / degraded)
The University of Chicago surfaces two distinct hosts in this survey: helabserver0.uchicago.edu running a Streamlit application on port 8501, and jupyterhub-dev.grid.uchicago.edu running JupyterHub on port 8000. The Stre…
- Engagement record Universities 2026-05-19
University of Maryland College Park: Open WebUI v0.3.32 on `amorgos.umd.edu` — `enable_signup:true` OBSERVED on Very-Old Version
University of Maryland College Park runs an Open WebUI instance at amorgos.umd.edu (128.8.235.4, Brookeville MD). /api/config returned enablesignup: true on Open WebUI v0.3.32 — class membership for signup-open OBSERVED.…
- Engagement record Universities 2026-05-19
University of Southern Maine: 8-Host JupyterHub Fleet on `cs.usm.maine.edu` — Entomology-Themed Research Cluster, All Auth-Enforced
University of Southern Maine's CS department runs an 8-host JupyterHub fleet on the cs.usm.maine.edu subdomain, with hostnames following an entomology theme (wasp, earwig, locust, mosquito, ant, beetle) plus two computin…
- Engagement record Universities 2026-05-19
Cooper Union for the Advancement of Science and Art: Open WebUI v0.9.2 on `kahan.ee.cooper.edu` — Auth-On + LDAP
Cooper Union runs an Open WebUI instance at kahan.ee.cooper.edu (199.98.27.237). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backe…
- Engagement record Universities 2026-05-19
Cornell University: Open WebUI v0.6.14 on `onepl.aap.cornell.edu` — Auth-On + API Keys Enabled
Cornell University runs an Open WebUI instance at onepl.aap.cornell.edu (128.253.41.30:3000). /api/config returned Open WebUI v0.6.14 with enablesignup: false (auth-on; no signup-open class) and enableapikey: true (post-…
- Engagement record Universities 2026-05-19
University of Washington: Streamlit app on `D4-084.ce.washington.edu:8501` (Civil Engineering dept; framework confirmed)
University of Washington's Civil Engineering department surfaces a Streamlit application at D4-084.ce.washington.edu (128.95.204.84:8501). Streamlit framework confirmed via /stcore/health returning ok. Hostname pattern (…
- Insight 2026-05-19
Insight #35: Side-channel attribution has high precision and low recall; it is for targeted investigation, not population discovery
Insight #33 establishes that operator-class attribution via adjacent-service content (Docker Registry /v2/catalog) works when the operator's content carries class signals. The yield is high when the population is already…
- Insight 2026-05-19
Insight #36: PaaS deployment automation bakes build-time env-vars into client JS bundles; secrets prefixed with NEXT_PUBLIC_ / VITE_ leak to every visitor
When an operator deploys a Next.js or Vite app via a self-hosted PaaS (Dokploy, Coolify, Caprover, Easypanel) and declares a secret like LANGFUSESECRETKEY with one of:
- Insight 2026-05-19
Insight #37: Asymmetric auth gating, dashboard requires login but the API does not; observability platforms accept unauthenticated trace ingestion even when the UI is locked
Many AI observability + telemetry platforms ship with two distinct authentication surfaces on the same port:
- Insight 2026-05-19
Insight #38: Hard-proof verification chain for exfiltrated-credential class findings; six steps from HTML-exposed key to verified operator data
A finding involving a credential exposed in public HTML cannot be tiered without traversing the six-step verification chain. Each step verifies a discrete claim. Tier promotion happens at each step; the finding's final t…
- Insight 2026-05-19
Insight #39: Pooled-account upstream proxy as attribution-laundering layer; one paid API account fans out to N unauthorized end-customers through a middle-tier relay
A subset of LLM-resale fraud operations route through a three-tier architecture that flattens attribution from the upstream vendor's perspective:
- Insight 2026-05-19
Insight #40: Auth-on-default thesis shifts rightward in successor OSS generations
When a security disclosure is made against an OSS LLM-infrastructure project, the next-generation release (successor project by the same author or fork) hardens the specific surface that drove the disclosure. The auth-on…
- Insight 2026-05-19
Insight #41: Admin-endpoint field-name enumeration is the Stage-2-deep verify primitive; secret-class field names at documented paths are the finding, no value read required
For admin-style endpoints that return a long structured JSON dump (Envoy /configdump, Spring Actuator /env and /configprops, Kong admin /config, Consul /v1/agent/self, Vault /sys/config/state/sanitized, Traefik /api/rawd…
- Insight 2026-05-19
Insight #42: LLM gateway model-name mismatch: proxies advertise premium model IDs while serving different backends. /v1/model/info is the authoritative discriminator; the motive (convenience alias vs fraud) requires per-host verification.
LLM gateway proxies (LiteLLM, Portkey, custom wrappers) expose two distinct surfaces that often disagree:
- Insight 2026-05-19
Insight #43: VisorSD multi-ASN grouped-OR query construction returns zero even when Shodan direct returns hundreds; the bug is in VisorSD's query templating, not Shodan's index.
VisorSD's multi-ASN grouped-OR query construction can silently return zero where Shodan direct queries return hundreds. A zero-result VisorSD run against a known-populated ASN is a tooling failure signal, not a populatio…
- Insight 2026-05-19
Insight #44: Parallel aimap passes cannibalize each other's throughput via client-side socket pool contention; default to sequential or staged execution with the largest corpus running alone first.
Running multiple aimap processes in parallel against large corpora degrades total throughput by roughly 3× compared to sequential execution, and can cause complete hangs (zero output after 36+ minutes). The bottleneck is…
- Insight 2026-05-19
Insight #45: Niche Shodan dork yield follows a stable class hierarchy: Server-header > frontend-bundle-ID body > route-slug body. Route-slug dorks fail because Shodan crawls root HTML, not JS bundle source.
Shodan dork yield for AI/LLM infrastructure follows a stable three-tier class hierarchy:
- Insight 2026-05-19
Insight #46: TLS certificate subject CN is a precise operator-attribution surface; operators who embed platform brand names in cert CN are doing intentional TLS termination, making cert-CN dorks stable against CDN proxying and more precise than HTML body matching.
An operator who names a TLS certificate after the AI platform they're running (openai.mycompany.com, litellm-prod, ollama-inference) has:
- Insight 2026-05-19
Insight #47: TLS cert subject CN is an operator-attribution surface, NOT a platform-confirmation or auth-state surface. CN-identified operators are the intentionally-configured class; they are inversely correlated with auth-off-default posture.
An operator who names a TLS cert after their platform has, by definition, done MORE than just run a default binary. They have:
- Insight 2026-05-19
Insight #49: Ollama-Cloud-signin × public-exposure = LLMjacking surface; the operator's Ollama Cloud subscription quota is billable by any public caller
An Ollama instance meeting BOTH of these conditions exposes the signed-in operator's Ollama Cloud subscription quota to public invocation:
- Survey 2026-05-18
Code assistants — category 09 population follow-up survey 2026-05-18
This is the second pass on the AI code-assistant tier. The first pass on 2026-05-14 ran the full chain on 233 hosts and found 54 unauth across 8 platforms. Four days later we re-harvested and ran the chain again. Late in…
- Survey 2026-05-18
Jetson, TensorRT, and edge-AI: a population survey of NVR and inference exposure
The survey scoped as "Jetson / TensorRT edge" found that the dominant exposed population on the public internet is not the Jetson hardware itself. It is the edge-AI applications that ship with Jetson and run on similar h…
- Engagement record Commercial 2026-05-18
Tegrity / McGraw-Hill Campus Self-Registration — ASP.NET YSOD + Service Outage
selfreg.tegrity.com, the production self-registration service for McGraw-Hill Campus, is failing at AppDomain initialization. The AWS SDK for .NET's credential provider chain exhausts because the host has no IAM credenti…
- Insight 2026-05-18
Insight #31: App-builder tools brand the OUTPUT, not the AGENT — anchor on agent API contract
For AI app-builder tools (bolt.diy, Dyad, gpt-engineer, Vercel v0, Lovable, and similar "build me an app" agents), the brand string appears in the HTML of the apps they generate, not in the agent's own UI. Shodan dorks t…
- Insight 2026-05-18
Insight #32: Multi-service deception fleets emulate target-specific services for Shodan scanners; filter on body markers, not title
For every Shodan title-anchored dork in our methodology, assume a multi-service deception fleet is mixed into the result set. The fleet operators emulate target-specific services at Shodan crawl time by rotating titles p…
- Insight 2026-05-18
Insight #33: Side-channel attribution via Docker registry catalog content when direct fingerprinting fails
When the direct fingerprint for a target class (Shodan dork on title, body, port, banner) returns mostly false positives at population scale, look for an adjacent service the operator runs whose content reveals what the…
- Insight 2026-05-18
Insight #34: Persistence without pressure — operator-unauth populations don't self-remediate
For unauthenticated AI/ML services in low-attacker-pressure ecosystems (no extortion campaign, no published disclosure pipeline targeting the platform class), operator persistence over a 4-day window runs 83% — operators…
- Survey 2026-05-17
22 unauthenticated AI-stack Elasticsearch operators (2026-05-17)
The morning's mapping probe surfaced 22 Elasticsearch hosts with densevector or knnvector fields. Those are unambiguous AI / RAG workloads. We ran cert-pivot, Shodan, and aimap-profile on each one.
- Survey 2026-05-17
AI agent framework population survey, 2026-05-17
We surveyed the public-facing agent-framework population: AutoGen Studio, CrewAI, LangGraph Studio, Langflow, AgentOps. The corpus harvested from Shodan dorks totaled 351 unique IPs. After running aimap with existing fin…
- Survey 2026-05-17
Cross-stack 24-hour follow-up on Elasticsearch and ClickHouse (2026-05-17)
Yesterday's surveys produced raw counts of 5,037 unauthenticated Elasticsearch hosts and 1,832 unauthenticated ClickHouse hosts. The verification ran through bespoke Python scripts. This survey ships aimap v1.9.8 (enumEl…
- Survey 2026-05-17
LLM gateway / proxy population survey, 2026-05-17
We surveyed the public-facing LLM gateway / API-proxy population: LiteLLM, Helicone, Portkey, OneAPI, NewAPI, OpenRouter self-host. A LLM gateway sits between an application and one or more upstream LLM providers. It bro…
- Survey 2026-05-17
MCP server population survey, 2026-05-17
We surveyed the public Model Context Protocol (MCP) server population. MCP is Anthropic's wire format for letting LLMs call into external tools, prompts, and resources. It has become the standard control plane for agenti…
- Survey 2026-05-17
Meow / Indexrm Elasticsearch extortion. Three actors. (2026-05-17)
We sampled 150 of the 3,604 fully-wiped Elasticsearch hosts from this morning's re-probe. We read the readme index on each one. Three different actors are running the campaign in parallel.
- Survey 2026-05-17
Meow / Indexrm campaign: per-actor census across 4,776 ES hosts
We re-ran the full 4,776-host Elasticsearch population through aimap v1.9.10. The new release reads one document from the attacker-planted marker index and parses it for actor identifiers. The morning's 150-host probe fo…
- Survey 2026-05-17
Training observability survey, 2026-05-17
We surveyed self-hosted training-observability platforms: Weights & Biases (self-hosted), ClearML, Aim, Ray Dashboard, MLflow. The aim was to map the population of public-facing experiment trackers and characterize the a…
- Survey 2026-05-17
Vector database population survey, 2026-05-17
We surveyed the public vector-database population: Qdrant, Weaviate, Milvus, ChromaDB. Vector DBs hold the embeddings for an operator's RAG pipeline. Every document, customer transcript, support ticket, legal record, or…
- Engagement record Commercial 2026-05-17
Adya AI: WandB workspace exfil via unauth FastAPI proxy (vanijmcp.adya.ai)
vanijmcp.adya.ai (20.198.18.237) is an Adya AI infrastructure host on Microsoft Azure India. It exposes seven services on different ports. The headline finding is on port 5005: a custom FastAPI service named "WandB Servi…
- Disclosure 2026-05-17
Aussie Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Aws Clearml Signup Open Batch 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Azure Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Gaohe Itgaohe 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Gxota Guangxi Travel Dev 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Hooper Erp 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Timedb 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Torchv Mengjia Zlmediakit 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Woyaodiancan Restaurant Ai 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Cn Xiaoice Demo Virtualhuman 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
De Aitalkx Dms Rag 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
De Travelm Articles 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Eg Equant Tech Waffarha Lms 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Es Frojasg1 Dev Haystack 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Gcp Clearml Signup Open Batch 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Hetzner Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
In Adya Ai Vanijmcp Wandb Proxy 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
It Isideweb Deskpro 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL drafted 2026-05-17
Np Mohp Hmis Ocl 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Ovh Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Pti Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Ru Westcall Aicloud Backend 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Sa Tahakum Llm 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Scaleway Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-17
Teithe Clearml Signup Open 2026 05 17
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Insight 2026-05-17
Insight #28: A population state is not a daily rate (RETRACTED)
The first version of this insight claimed 71.6% of the 5,037-host population was wiped by an automated extortion campaign in a 24-hour window. That framing is wrong as a 24-hour event rate. The corrected numbers come fro…
- Insight 2026-05-17
Insight #29: Snapshot vs delta
A single observation of a population says one thing. Two observations say another. When a campaign has been running long enough to saturate the population, the snapshot reports history. Only the delta reports today.
- Insight 2026-05-17
Insight #30: Multi-port identical responses identify honeypot fleets
A real service occupies one port. A honeypot fleet that ships the same canned response on every port it has open is identifiable by that uniformity alone, with no need to decode any specific protocol.
- Survey 2026-05-16
Agent-Framework Stragglers Population Survey (2026-05-16)
Population survey of the agent-framework stragglers. Platforms that emerged in 2024-2025 alongside the AutoGen / Open WebUI / Flowise generation. Closes the gap left by the AutoGen Studio survey (2026-05-14) which only c…
- Survey 2026-05-16
Agent-Memory Population Survey: Falsification-Confirmation Result (2026-05-16)
Population-scale survey of agent-memory backends. The platform class that stores LLM conversation history, user profiles, and per-session context. A null-result-as-finding survey in the METHODOLOGY sense: the agent-memor…
- Survey 2026-05-16
Argo CD Population Survey (2026-05-16)
Population-scale survey of Argo CD. The Kubernetes continuous-deployment pipeline. Argo CD operators configure git-source repositories, deploy targets (k8s clusters), and credentials; the platform watches git and reconci…
- Survey 2026-05-16
ClickHouse Population Survey (2026-05-16)
Largest single-platform population survey of the day. ClickHouse is the OLAP database that powers most modern observability stacks (SigNoz, Plausible, PostHog, Helicone, Phoenix-on-OTLP). Wherever an AI/LLM service emits…
- Survey 2026-05-16
Consul (HashiCorp) Population Survey (2026-05-16)
Population-scale survey of HashiCorp Consul deployments. Service registry + KV store + service-mesh control plane. Consul's default ACL policy is allow, so out-of-the-box deployments expose the agent, catalog, and KV sta…
- Survey 2026-05-16
Data-Labeling Population Survey (2026-05-16)
Survey of the data-labeling platform population. The systems that store training-data annotation tasks, often containing PII or sensitive labels. Smaller surface than other categories surveyed today; the mixed result is…
- Survey 2026-05-16
Elasticsearch AI-Stack Population Survey (2026-05-16)
Population survey of Elasticsearch clusters with focus on AI-stack adjacency. RAG vector stores, langchain/llama-index indices, embedding caches, prompt history. Elasticsearch has been a major exposure surface for 8 year…
- Survey 2026-05-16
Experiment-Tracking Population Survey (2026-05-16)
Closes the experiment-tracking half of category 04 (the compute-orchestration half was surveyed 2026-05-06 with Spark / Airflow / Ray). MLflow was surveyed earlier in the series (Insight #18 buckets-locked finding). This…
- Survey 2026-05-16
GPU-Compute Population Survey (2026-05-16)
Survey of the GPU-compute orchestration tier: Run:ai (Nvidia's enterprise GPU scheduler), DCGM-exporter (Prometheus exporter for NVIDIA GPU metrics), NVIDIA Bright Cluster Manager, Slurm REST API. Smaller surface than im…
- Survey 2026-05-16
Image-Generation Population Survey (2026-05-16)
First population-scale survey of the image-generation modality. ComfyUI, AUTOMATIC1111 / SD WebUI, InvokeAI, Fooocus, SwarmUI, SD.Next, Forge. The category had no aimap fingerprints prior to this survey; the manual→produ…
- Survey 2026-05-16
ROS Robotics Population Survey (2026-05-16)
Population survey of ROS (Robot Operating System) deployments. The canonical robotics middleware stack. ROS master :11311 speaks XMLRPC, rosbridge :9090 speaks WebSocket+HTTP. Both leak topic/node names when reachable un…
- Survey 2026-05-16
Vector-DB Stragglers Population Survey (2026-05-16)
Closes the four platform-class stragglers left after the 2026-05 Qdrant / ChromaDB / Milvus / Weaviate sweep: Apache Solr, Meilisearch, Typesense, Vespa, plus pgvector body-marker recheck. Each candidate corpus was harve…
- Engagement record Commercial 2026-05-16
Hospital's AI chatbot exposes 270,000+ patient records
A multi-tenant Chinese hospital AI assistant is running on a single Chinese-cloud-hosted IP with every layer of its AI stack reachable from the public internet without authentication. The chatbot's RAG (retrieval-augment…
- Disclosure CRITICAL drafted 2026-05-16
Solr 7.6.0 unauth fleet: Aggregate cloud-provider disclosure
Apache Solr 7.6.0 cluster on your platform. 516 hosts vulnerable to unauthenticated remote code execution (CVE-2019-17558 / CVE-2019-0193 / CVE-2019-12409)
- Disclosure CRITICAL drafted 2026-05-16
UCloud Shanghai (106.75.127.240): CRITICAL clinical-data AI stack fully exposed
紧急:106.75.127.240 上的多租户医院 AI 助手平台数据全部暴露(CRITICAL) URGENT: Multi-tenant hospital AI assistant on 106.75.127.240 has all data exposed unauthenticated
- Insight 2026-05-16
Insight #25: Tier-C platforms produce ~0% unauth at population scale
The auth-on-default thesis is falsifiable: a Tier-C platform (auth-on-default in framework) that landed at 5–25% unauth at population scale would break it. None have. The cumulative evidence base across the 2026-05 surve…
- Insight 2026-05-16
Insight #26: Shodan-facet FP rate escalates with token commonality
Codified by Insight #15 (http.title:"LiteLLM API" → 5,391 hits, 2,710 real LiteLLM = 50% FP). Sharpened by the 2026-05-15 RVC voice-cloning survey (http.title:"RVC" → 34 hits, 6 real = 82% FP). Now further sharpened by t…
- Insight 2026-05-16
Insight #27: Docker-image-template dominance
Three independent surveys on 2026-05-16 surfaced the same shape:
- Survey 2026-05-15
Unauth Docker Daemon Population Survey (2026-05-15)
Survey of the Shodan-indexed Docker daemon population on port 2375. The canonical unauth port for the Docker HTTP API. Port 2376 is the TLS-auth variant; port 2375 is unauth by framework spec, and operators who expose it…
- Survey 2026-05-15
etcd Population Survey (2026-05-15)
Population-scale survey of etcd. The distributed key-value store that backs Kubernetes' entire cluster state. Each unauthenticated etcd is a secrets-store leak class: anyone can list (and read) the cluster's stored data…
- Survey 2026-05-15
llama.cpp HTTP Server Population Survey (2026-05-15)
Direct follow-on survey to the day's Ollama work and the aimap v1.9.4 release. aimap v1.9.4 added a llama.cpp server fingerprint after the 194.233.71.223 single-host case revealed that PHASE-2 fingerprinting was missing…
- Survey 2026-05-15
Medical / Edge AI Survey: DICOM Protocol Exposure at Population Scale
Surveyed the 1,017-CIDR tier-2 cloud range list (DigitalOcean / Hetzner / Vultr / OVH / Linode ≈ 3.55M IPs) for medical-imaging AI infrastructure: Orthanc DICOM servers, MONAI Label / MONAI Deploy, NVIDIA Clara, NVIDIA N…
- Survey 2026-05-15
Ollama Population Survey: Shodan-Walk (2026-05-15)
Re-survey of the Ollama exposure surface, walked on Shodan rather than via masscan-on-cloud-prefixes. The prior two surveys (5.38M IPs across six tier-1+2 clouds) found 1,192 confirmed unauth Ollama. This re-survey walks…
- Survey 2026-05-15
RAG Framework Servers: Population-Scale Survey (2026-05-15)
<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverage
- Survey 2026-05-15
Vault (HashiCorp) Population Survey (2026-05-15)
Population-scale survey of HashiCorp Vault deployments. Vault is the canonical secrets-management platform. The operator's database credentials, API keys, signing keys, and other application secrets live inside. Unauth e…
- Survey 2026-05-15
Voice-Agent Population Survey: LiveKit-dominant (2026-05-15)
Survey of the voice-agent platform population: LiveKit (server + agents framework), Pipecat, Vocode, with Deepgram / Twilio as secondary integration signals.
- Survey 2026-05-15
Voice-Cloning Population Survey: Shodan-Reachable Slice (2026-05-15)
Survey of the Shodan-reachable voice-cloning surface (RVC / GPT-SoVITS / Applio / OpenVoice / ChatTTS / F5-TTS) and adjacent voice-TTS platforms. The aimap fingerprints for these platforms were shipped 2026-05-08 (shodan…
- Survey 2026-05-15
Whisper ASR Population Survey (2026-05-15)
Population-scale survey of Whisper ASR (speech-to-text) deployments. The canonical OpenAI Whisper plus the popular forks (whisper.cpp, faster-whisper, WhisperX). aimap fingerprints shipped 2026-05-08; this survey closes…
- Engagement record Commercial 2026-05-15
alpha_miner Job Scheduler: 194.233.71.223 (Contabo SG)
- IP: 194.233.71.223 - rDNS: vmi2733226.contaboserver.net - ASN: AS141995 Contabo Asia Private Limited - Location: Singapore (Contabo Asia Pte Ltd, 8 Robinson Road / International Plaza) - WHOIS abuse: abuse@contabo.de -…
- Engagement record Commercial 2026-05-15
23.239.19.219: Exposed LlamaIndex Chat with Broken Backend, Multi-Tenant SNI Co-Tenancy
23.239.19.219. Linode US datacenter (Akamai AS), 23.239.0.0/19, rDNS 23-239-19-219.ip.linodeusercontent.com. Linode shared-allocation, neighbor at .217 is harperdbcloud.com. No AS63949 honeypot salt match. Verdict "no ho…
- Insight 2026-05-15
Insight #22: Protocol-strict handshakes are the only verifier for multi-protocol honeypot fleets
Insight #1 established that protocol-strict handshakes filter honeypots: an exact JSON-RPC initialize envelope dropped AS63949 Linode honeypot pollution from 91.6% to 1.1% in the MCP survey. The medical/edge AI survey ex…
- Insight 2026-05-15
Insight #23: Discovery-channel coverage is multiplicative
A population survey can be sourced two ways: masscan-on-cloud-prefixes (scope a set of cloud /16 ranges, scan a port across all of them) or Shodan-walk (page through the Shodan-indexed result set for a brand dork or serv…
- Insight 2026-05-15
Insight #24: Operator workload visibility via Ollama /api/show Modelfile SYSTEM prompts
When Ollama is unauthenticated, the /api/tags endpoint discloses what models the operator installed. That is the canonical finding.
- Survey 2026-05-14
AutoGen Studio, agent-platform tier cloud survey 2026-05-14
NuClide Research
- Survey 2026-05-14
Browser-automation backend tier cloud survey 2026-05-14
NuClide Research
- Survey 2026-05-14
Chrome DevTools Protocol, browser-automation backend cloud survey 2026-05-14
NuClide Research
- Insight 2026-05-14
Insight #21: Port-first discovery beats brand-dork discovery for low-footprint platforms
The standard population survey is dork-then-confirm: write a Shodan dork that matches the platform's brand string, harvest the hits, confirm each one. That works when the platform's web frontend carries Shodan-indexable…
- Survey 2026-05-13
VisorBishop Phase 5b: Bucket-accessibility pass against 49 MLflow artifact stores
NuClide Research · 2026-05-13
- Survey 2026-05-13
VisorBishop Phase 5b: bucket-accessibility pass against 49 MLflow artifact stores (public)
NuClide Research · 2026-05-13
- Engagement record Commercial 2026-05-13
SmartShop AI / amazonrec.space: Multi-service ML pipeline exposure on a single PENTECH host
NuClide Research · 2026-05-13
- Disclosure CRITICAL 2026-05-13
Salutegroup Smartshop Ai Amazonrec 2026 05 13
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL 2026-05-13
SALUTEGROUP Smartshop Ai Amazonrec 2026 05 13
The reason we are contacting Salute Group: this host runs the mail server for your brand Nadorawear (mail.nadorawear.com resolves to 78.135.66.61), the nadorawear.com domain WHOIS lists domain@salutegroup.com.tr, and the…
- Insight 2026-05-13
Insight #18: Storage-tier hygiene exceeds tracker-tier hygiene at population scale
Across 49 cloud-provider buckets extracted from the artifact URIs of 120 critically-exposed unauthenticated MLflow trackers, 48 buckets (97.96%) are locked at the storage tier. One container has an anonymous-list ACL, an…
- Insight 2026-05-13
Insight #19: SPA + headless API is a high-severity exposure tell
When a single-page application is hosted on a CDN platform (Vercel, Cloudflare Pages, Netlify, GitHub Pages, etc.) and its bundled JavaScript calls a same-brand API host of the form https://api.<brand>.<tld>/..., the API…
- Insight 2026-05-13
Insight #20: aimap's AI-service classifier needs the ML data tier, not just the inference tier
aimap classifies a target by what AI/ML services it can fingerprint on that target's open ports. The catalog has been built incrementally around the inference and observability tiers: Ollama, vLLM, llama.cpp, MLflow, Pho…
- Synthesis paper 2026-05-12
AI observability tier, Phase 2 synthesis (cross-cuts + version-deltas)
NuClide Research · 2026-05-12
- Insight 2026-05-12
Insight #17: Platform-class operators are mono-platform at population scale
When two platforms solve the same problem (e.g. LLM observability, vector storage, prompt management), operators install one of them per host. Across 789 hosts spanning four AI-observability platforms (Phoenix + Langfuse…
- Survey 2026-05-11
VisorBishop loop-iteration #1: Re-sweep all Phase 1 corpora, surface gaps
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop loop-iteration #2: Extended port set, exposure-inventory pivot
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop loop-iteration #3: AI-stack ML pipeline ports, Rogers NetOps disclosure
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop iter-4: Adjacent platforms (Opik, AgentOps, Phospho)
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop iter-5: LiteLLM Proxy + Argilla + Promptfoo (gateway + annotation + eval tiers)
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop iter-6: Full LiteLLM 5,391-host population sweep (283 unauth LLMjacking primitives)
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop iter-7: MLflow Tracking + Weights & Biases self-host (experiment-tracking tier)
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop iter-8: Six platforms swept, near-zero critical (LLM pipeline + ML orchestration + product analytics)
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop: Phase 3 meta-fingerprinter for the AI observability tier
NuClide Research · 2026-05-11
- Survey 2026-05-11
VisorBishop Phase 5: Three primitives that turn 492 critical hosts into an impact narrative
NuClide Research · 2026-05-11
- Insight 2026-05-11
Insight #14: Recon yield aligns with port-class operator intent, not port number
When sweeping IP-direct-shadow ports for hidden surfaces on hosts already fronted by an SSO reverse proxy (see Insight #12), the productive selector is what class of service the operator was deploying, not the port's for…
- Insight 2026-05-11
Insight #15: Shodan dork hits are not platform instances (the 50% rule)
The number of hits returned by a Shodan dork is not the number of platform instances. Across the AI/LLM infrastructure surveys in 2026-04 and 2026-05, the population of hits that match a single-token title-based dork con…
- Insight 2026-05-11
Insight #16: A 200 from a platform endpoint is identity, not auth state
When a platform endpoint returns HTTP 200 to an unauthenticated probe, that response confirms platform identity, the platform is alive at the URL, accepts requests, and chose to answer, but it does NOT classify the auth…
- Survey 2026-05-10
Helicone deep-dive: Phase 2 (default ClickHouse exposure on benchmarkit.solutions)
NuClide Research · 2026-05-10
- Survey 2026-05-10
Helicone LLM-observability population survey (21-host self-hosted population)
NuClide Research · 2026-05-10
- Survey 2026-05-10
Langfuse deep-dive: Phase 2 (source audit + latent primitives + extended IP-shadow)
NuClide Research · 2026-05-10
- Survey 2026-05-10
Langfuse LLM-observability population survey (1,333-host population, 0% unauth)
NuClide Research · 2026-05-10
- Survey 2026-05-10
LangSmith deep-dive: Phase 2 (customer identity disclosure on 19 enterprise operators)
NuClide Research · 2026-05-10
- Survey 2026-05-10
LangSmith LLM-observability population survey (27-host self-hosted population)
NuClide Research · 2026-05-10
- Survey 2026-05-10
AI observability tier: Small platforms population sweep (Lunary, OpenLIT, Pezzo)
NuClide Research · 2026-05-10
- Survey 2026-05-10
Arize AI Phoenix unauthenticated LLM-observability exposure (377-host population)
NuClide Research · 2026-05-10
- Synthesis paper 2026-05-10
AI observability tier: Cross-platform synthesis (Phase 1)
NuClide Research · 2026-05-10
- Engagement record Commercial 2026-05-10
reputacion.digital: Multi-surface chained exposure (Phoenix + NFS + Prometheus + dev SMTP)
NuClide Research · 2026-05-10
- Insight 2026-05-10
Insight #12: Hostname-routed SSO doesn't protect the IP-direct shadow
When an operator deploys SSO at the application layer (authentik, OAuth proxy, Keycloak, oauth2-proxy, Traefik forward-auth, etc.) and binds it via the reverse proxy's hostname routing, every service that listens on the…
- Insight 2026-05-10
Insight #13: Shipping defaults are load-bearing for population-scale security posture
When two products in the same category have similar customer overlap but ship with opposite security defaults, the population-scale security outcomes follow the defaults. Not the operators. A single env-var default (AUTH…
- Survey 2026-05-09
BI/Dashboard Platforms: Auth Posture Survey
Four BI and analytics dashboard platforms surveyed via Shodan + asyncio probe: Metabase (1,789 IPs), Grafana (2,000 IPs), Apache Superset (1,176 IPs), Redash (1,079 IPs). Total 6,044 IPs → 4,449 confirmed reachable → 1,8…
- Survey 2026-05-09
Milvus/Attu on Public Cloud: Auth Posture and Multi-Tenant SaaS Exposure Survey
Shodan pull of http.title:"Attu" "Milvus" → 1,389 unique IPs → asyncio probe of Attu port 3000 + Milvus REST port 19530 → 763 confirmed reachable instances. Of these, 303 have the Attu admin UI open (full read/write GUI…
- Survey 2026-05-09
Neo4j, Elasticsearch, Supabase, Redis Stack: AI Infrastructure Exposure Survey
Four additional infrastructure layers surveyed as part of the 2026-05-09 vector DB series. Combined Shodan pull → asyncio probe across 2,064 IPs (971 Neo4j + 636 Elasticsearch v8 + 314 Supabase + 143 Redis Stack).
- Survey 2026-05-09
New Vector Storage Survey: QuestDB / Meilisearch / PocketBase / NATS JetStream
Seven previously-unsurveyed AI-adjacent storage and messaging platforms probed via Shodan. 293 QuestDB consoles open with unauthenticated SQL execution, 488 Meilisearch instances health-confirmed (100% no-auth by default…
- Survey 2026-05-09
SurrealDB, Typesense, and LanceDB: Exposure Survey
Three additional vector-capable databases surveyed as part of the 2026-05-09 vector DB series. Combined Shodan pull → asyncio probe across 995 IPs (431 SurrealDB + 354 Typesense + 210 LanceDB).
- Survey 2026-05-09
Weaviate on Public Cloud: Auth Posture and Enterprise Tenant Exposure Survey
Shodan pull of http.html:"weaviate" port:8080 → 852 unique IPs → asyncio probe of /v1/meta, /v1/schema, /v1/nodes → 694 confirmed reachable Weaviate instances. Of these, 435 are fully open (no authentication), 344 contai…
- Engagement record Commercial 2026-05-09
CouchDB Telecom Consent Platform: Active RCE + 244M Subscriber Records
Unauth CouchDB 2.3.1 on Microsoft Azure (Pune, India) hosting Airtel + Tata telecom consent management infrastructure. 7.1M consent records, 244M subscriber preferences with MSISDN phone numbers. Instance has been active…
- Engagement record Commercial 2026-05-09
NATS JetStream: ParamWallet Production Ledger + AI Pipeline (Open Pub/Sub)
141.148.212.34 (Oracle Cloud Mumbai). Production NATS JetStream cluster running an AI document-processing pipeline coupled to a private blockchain ledger. NATS protocol port 4222 advertises no auth requirement; unauthent…
- Disclosure 2026-05-09
GraphRAG Process Safety API: Full Multi-Stack Auth-Off Exposure (Scaleway FR)
A French operator running an industrial process safety knowledge management RAG application has deployed five separate AI/ML services on a single Scaleway dedicated server with no authentication on any layer. The exposur…
- Disclosure 2026-05-09
Klinikken.ai: Unauthenticated Vector Database API (Auth Bypass via Embedding Proxy)
Klinikken.ai's self-hosted vector database API is publicly accessible without authentication. The service is the retrieval-augmented memory layer of a Danish clinical AI platform that records and indexes psychotherapy se…
- Disclosure 2026-05-09
MyAi Corporation: Unauthenticated Multi-Tenant Weaviate Knowledge Base
MyAi Corporation operates a multi-tenant AI chatbot/RAG platform built on Weaviate. Two Hetzner-hosted instances (both .myaicorp.com per TLS cert) expose their entire Weaviate schema, 200–203 named client knowledge-base…
- Engagement record Commercial 2026-05-08
Anduril Industries, Lattice Monitoring Plane (Telefonica ARO Grafana), Disclosure Sent, Awaiting Acknowledgment
NuClide Research · 2026-05-08 (sent 2026-05-09)
- Disclosure HIGH sent 2026-05-08
Adclarity Semrush Docker Registry Exposure 2026 05 08
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com 2026-05-08
- Disclosure HIGH 2026-05-08
Anduril Lattice Infrastructure Exposure 2026 05 08
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com 2026-05-08
- Disclosure HIGH sent 2026-05-08
Manchyn Postgres Grafana 2026 05 08
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com 2026-05-08
- Disclosure CRITICAL sent 2026-05-08
Wyoooni Jiaotong Pipeline Defaultkey 2026 05 08
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com 2026-05-08
- Cross-survey 2026-05-07
Agent frameworks cross-survey, planning + dork catalog (2026-05-07)
NuClide Research, 2026-05-07
- Survey 2026-05-07
JupyterHub on .edu networks, Shodan-driven exposure survey with full chain triage (2026-05-07)
NuClide Research, 2026-05-07
- Engagement record Commercial 2026-05-07
ollama launch claude-desktop: Gateway-mode MITM by default + community-tutorial typosquat surface
NuClide Research, 2026-05-07
- Engagement record Commercial 2026-05-07
Vendor-template adjacent-vendor sweep, planning doc + Shodan dork catalog (2026-05-07)
NuClide Research, 2026-05-07
- Disclosure MEDIUM sent 2026-05-07
Anthropic Claude Desktop Mcp Launch Disclosure
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-07
Eonix 173 232 146 173 Uirusu C2
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-07
Hampton Jupyterhub 20 Stale
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure MEDIUM sent 2026-05-07
Ncsu Jupyterhub Cve 2026 33709
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure MEDIUM sent 2026-05-07
Ollama Launch Claude Desktop Gateway Disclosure
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure MEDIUM sent 2026-05-07
Uic Jupyterhub Cve 2026 33709
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-07
Umd Jupyterhub 402 Cves
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-07
Uw Atmos Rservices Nfs Exposed
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-07
Verotx Kong Platform Compromise 2026 05 07
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-07
Vt Jupyterhub Http Only
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Insight 2026-05-07
Insight #11: Source code is authoritative; bug reports are framing
GitHub Issue ollama/ollama#16005 (filed 2026-05-06) claimed:
- Survey 2026-05-06
Compute Orchestration / Training tier, cloud survey 2026-05
NuClide Research
- Cross-survey 2026-05-06
Langfuse cross-survey-correlation single-host case study (2026-05-06)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
Hetzner LiteLLM proxy fronting Ollama-cpu + 4 RunPod GPU pods, fully unauth (65.108.197.157)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
AIPOD orthodontic AI MLflow + Label Studio + S3 stack, CVE-2023-1177 actively-exploited (138.197.152.103)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
Hilix-class botnet campaign, multi-victim Jupyter-targeted operation (Ulm Cortical Labs + Tencent OpenClaw)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
Pediatric medical ML operator, 224 unauth MLflow experiments + Metabase setup-token unclaimed (65.109.36.121)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
Squeeze/Helios short-squeeze trading platform, full architecture leaked + MLflow CVE-2023-1177 actively exploited (159.203.110.202)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
Triton chat-safety pipeline, minor-detection classifier still live (159.203.42.211 + 178.62.225.198)
NuClide Research · 2026-05-06
- Engagement record Commercial 2026-05-06
Vendor-template default-no-auth on research-instrument web stacks, pattern recognition + fleet-audit roadmap
NuClide Research · 2026-05-06
- Disclosure CRITICAL sent 2026-05-06
Akamai Linode 172 233 96 208 C2 Takedown
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
Cogent 38 87 117 84 Malware Host
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
In TPC3.ipynb (created 2026-05-05 17:14 UTC):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
Digitalocean 138 197 152 103 Aipod Mlflow
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
1. Patch MLflow immediately - upgrade to 2.10.0+ (CVE-2023-1177 patched in 2.3.1).
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Triton's HTTP port should bind to 127.0.0.1, not 0.0.0.0
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
In the Langfuse container env (or .env file):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
1. Enable LiteLLM's master-key auth (one env var):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
1. CLAIM THE METABASE SETUP-TOKEN IMMEDIATELY.
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Hetzner 65 109 36 121 Wellcalf Correction
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
1) Update Chromium to current stable
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
If served by FastMCP / uvicorn (likely, given Server: uvicorn header):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Bind to localhost or restrict at firewall
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-06
1) Update Chromium / Browserless to current stable
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Tencent 101 34 81 166 Jupyter Compromise
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
On the lab device - stop Jupyter and kill the orphaned socat:
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Via the unauth Jupyter kernel WebSocket (same access path as the attacker):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Uni Ulm Cert Port80 Dashboard Followup
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-06
Uni Ulm Cert Resend Active Compromise
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Insight 2026-05-06
Insight #8: Auth-bypass-via-misconfiguration is missed by entry-point-only fingerprints
The compute-orchestration survey caught Apache Airflow instances configured with AUTHROLEPUBLIC = "Admin" (anonymous public role enabled). The dashboard is reachable at /home, while /login/ still serves the login templat…
- Insight 2026-05-06
Insight #9: Cross-survey-correlation is a Shodan-free discovery vector with stacked-finding bias
The 2026-05-06 Langfuse cross-probe ran across 723 ledger IPs × 5 ports (3000, 3001, 8080, 443, 80) with a strict matcher (HTTP 200 + JSON status:OK + version field, Methodology Insight #6 conjunctive) and returned 1 con…
- Insight 2026-05-06
Insight #10: Research/lab-instrument vendors ship web stacks with auth-disabled defaults
A token-disabled-Jupyter Shodan dork on 2026-05-06 surfaced 7 candidate hosts. Of the 2 reachable from the research VPN, both were already compromised (100% rate at this small sample).
- Insight 2026-05-05
Insight #6: Single-word substring matching is unsound at population scale
The AI safety eval survey's bespoke probe (data/aisafety-probe.py) used b"garak" in body.lower() and b"confident" in body.lower() as platform-identification matches.
- Insight 2026-05-05
Insight #7: Shodan-facet bucketing inherits the substring-FP class
Discovered during the DuckDB-HTTP bucketing pass: a bare-string Shodan dork returned 8 hits whose actual products were unrelated, Definite.app, Amulet Scan, generic FastAPI swagger pages all matched a substring intended…
- Survey 2026-05-04
Commercial AI Infrastructure Exposures
Commercial / SaaS Ollama and AI infrastructure exposures discovered during OSINT sweeps. These differ from university and research-network exposures in that the operators are commercial entities with paying customers and…
- Survey 2026-05-04
Backup & Snapshot Services on Public AI Infrastructure: Survey
Re-probe of the 663 unauthenticated tier-2 Qdrant instances catalogued in the parallel cross-survey, this time targeting Qdrant's snapshot endpoints (GET /snapshots and GET /collections/<name>/snapshots). 16 of 663 hosts…
- Tier-2 survey 2026-05-04
ChromaDB on Tier-2 Cloud: Auth Posture Survey (Scope Expansion)
Mass-scan of port 8000 (ChromaDB default) across the same 76 tier-2 /16 ranges (3.55M IPs), Scaleway + OVH + Linode used in the parallel Qdrant/Milvus/Ollama tier-2 expansions. 34,524 port-open candidates → 44 confirmed…
- Survey 2026-05-04
ComfyUI Image-Generation Workflow Tool: Auth Posture Survey
Mass-scan of port 8188 (ComfyUI default) across 76 tier-2 cloud /16 ranges (3.55M IPs) plus 25 Hetzner /16 ranges (where commodity GPU servers are common). Combined: 6 confirmed ComfyUI instances, 100% unauthenticated.
- Guide 2026-05-04
Future Surveys: AI/ML Infrastructure Categories Not Yet Covered
The 2026-05/06 survey series covers 35+ platform classes. Several adjacent categories remain unsurveyed and are catalogued here as a roadmap. Each entry includes:
- Tier-2 survey 2026-05-04
Milvus on Tier-2 Cloud: Auth Posture Survey (Scope Expansion)
Mass-scan of port 19530 (Milvus REST/gRPC default) across the same 76 tier-2 /16 ranges (3.55M IPs), Scaleway + OVH + Linode used in the Ollama and Qdrant tier-2 expansions. 5,480 port-open candidates → 429 raw "Milvus-s…
- Survey 2026-05-04
LLM Observability + Training Telemetry: Auth Posture Survey
Mass-scan of port 6006 (Phoenix Arize default + TensorBoard default) across 76 tier-2 cloud /16 ranges (3.55M IPs). 4,314 port-open candidates → 9 confirmed AI/ML observability instances (after filtering 38 non-AI port-6…
- Tier-2 survey 2026-05-04
Ollama on Tier-2 Cloud: Auth Posture Survey (Scope Expansion)
Mass-scan of port 11434 (Ollama default) across 76 cloud /16 ranges spanning Scaleway, OVH, and Linode, three tier-2 budget clouds outside the original DO/Hetzner/Vultr baseline. 3.55 million IPs scanned → 7,335 port-ope…
- Tier-2 survey 2026-05-04
Qdrant on Tier-2 Cloud: Auth Posture Survey (Scope Expansion)
Mass-scan of port 6333 (Qdrant HTTP API) across the same 76 tier-2 /16 ranges (3.55M IPs), Scaleway + OVH + Linode used in the tier-2 Ollama expansion. 9,192 port-open candidates → 781 confirmed Qdrant instances → 663 un…
- Guide 2026-05-04
Operator Remediation Guide
If you operate one of the platforms surveyed in 2026-05, most exposures resolve to a single configuration change to enable authentication. The most-effective hardening goes one step further and binds the service to local…
- Survey 2026-05-04
Speech & Audio AI on Tier-2 Cloud: Auth Posture Survey
Mass-scan of port 9000 (whisper-asr-webservice default + faster-whisper-server common) across the same 76 tier-2 /16 ranges (3.55M IPs), Scaleway + OVH + Linode. 10,991 port-open candidates → 6 confirmed Speech & Audio A…
- Engagement record Other 2026-05-04
Commercial AI Infrastructure Exposures
Commercial / SaaS Ollama and AI infrastructure exposures discovered during OSINT sweeps. These differ from university and research-network exposures in that the operators are commercial entities with paying customers and…
- Disclosure CRITICAL sent 2026-05-04
Am Armenian Academy Resend
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL acknowledged 2026-05-04
Au Newcastle Followup
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-04
LiteLLM example: set master key + virtual keys per consumer
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-04
In LiteLLM config or env:
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-04
If served by FastMCP / uvicorn:
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-04
Disclosure Outcomes: 2026-05-04 Bulk Send
- 36 disclosure emails sent via Gmail API from nicholas@nuclide-research.com (OAuth at /.config/nuclide/, scope gmail.send) - 44 unique recipients (To + Cc, including abuse@<domain> belt-and-suspenders fanouts) - 0 synta…
- Disclosure CRITICAL sent 2026-05-04
If served by FastMCP / uvicorn:
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-04
Whatever process serves the MCP HTTP+SSE endpoint, restrict to 127.0.0.1
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-04
Bind to localhost:
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-04
Ovh Brightwavess Cloudflare Dns Mcp
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-04
Pk Comsats Resend
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-04
Tw Fju Medph Resend
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-04
Us Ny Suny Buffalo State
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-04
Vn Vnu Hanoi Resend
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Insight 2026-05-04
Insight #1: Protocol-strict surveys self-filter honeypots
The MCP survey, which required a strict JSON-RPC initialize handshake before scoring a hit, saw only 1.1% AS63949 honeypot pollution on Linode. The earlier Milvus tier-2 survey, which probed on a more permissive shape, s…
- Insight 2026-05-04
Insight #2: Single-template auth-off failures propagate at population scale
The LLM Gateway survey documented 1,829 of 1,857 functional unauth gateways (98.5%) returning the identical canned response "Hello! I'm doing well, thank you. How about you?" from gpt-4o-mini. The uniformity is the signa…
- Insight 2026-05-04
Insight #3: Capabilities-object tool-schema leak
@benborla29/mcp-server-mysql v2.0.1 returned an empty tools/list (auth-gated for invocation) but leaked the mysqlquery tool schema via the capabilities object of the initialize response.
- Insight 2026-05-04
Insight #4: WHOIS-driven contact resolution is non-negotiable
The 2026-05-04 disclosure batch's only operator-caught misroute was SUNY Buffalo State University → University at Buffalo, produced by a slug-string heuristic in genemails.py. The two institutions are distinct; the slug…
- Insight 2026-05-04
Insight #5: Same-day-remediation feedback loop
Two operators (KTH and NCU/Aiden) confirmed nullroute / port-closure within hours of receiving the disclosure email, before the 24h re-probe cycle even started. Both received disclosures that included the verbatim mitiga…
- Survey 2026-05-03
ChromaDB on Public Cloud: Auth Posture Survey
Sweep of 1.83M IPs across 28 cloud-provider /16 ranges (DigitalOcean, Hetzner, Vultr) on port 8000 → 22,765 masscan hits → 48 confirmed ChromaDB instances via /api/v{1,2}/heartbeat → {"nanosecond heartbeat": <int>} finge…
- Survey 2026-05-03
Elasticsearch / OpenSearch on Public Cloud: Auth Posture Survey
Sweep of 1.83M IPs across 28 cloud-provider /16 ranges (DigitalOcean, Hetzner, Vultr) on port 9200 → 313 masscan hits → 42 confirmed unauthenticated Elasticsearch/OpenSearch instances (38 ES, 4 OpenSearch). Roughly half…
- Survey 2026-05-03
Flowise on Public Cloud: Auth Posture Survey
Sweep of 1.83M IPs across 28 cloud-provider /16 ranges (DigitalOcean, Hetzner, Vultr) on port 3000 → 20,581 live hosts → 43 confirmed Flowise instances via the /api/v1/ping → pong fingerprint. Zero unauthenticated, explo…
- Survey 2026-05-03
Gradio / Stable Diffusion / Langflow on port 7860: Auth Posture Survey
Mass-scan of port 7860 (Gradio's default) across 28 cloud-provider /16 ranges (DO/Hetzner/Vultr) returned 481 hits → fingerprinted via title + product-specific endpoints → 16 confirmed real Gradio-class deployments. Spar…
- Survey 2026-05-03
Jupyter Notebook / JupyterHub on Public Cloud & University Networks: Auth Posture Survey
Two-phase sweep targeting port 8888 across cloud-hosting providers and university research networks. Zero unauthenticated Jupyter instances found in either population. JupyterHub's mandatory login and Jupyter Notebook's…
- Cross-survey 2026-05-03
Mem0 Agent Long-Term Memory: Cross-Survey of Exposed Instances
Mem0 (github.com/mem0ai/mem0) is a Python framework that turns any vector store into agent long-term memory: structured per-user JSON payloads with userid, data, hash, createdat fields, embedded and stored alongside the…
- Survey 2026-05-03
Milvus on Public Cloud: Auth Posture Survey
Sweep of 1.83M IPs across 28 cloud-provider /16 ranges (DigitalOcean, Hetzner, Vultr) on port 19530 → 275 masscan hits → 33 confirmed Milvus instances via the /v2/vectordb/collections/list REST API → all returned code: 0…
- Survey 2026-05-03
MinIO + Dify on Public Cloud: Auth Posture Survey
Two parallel sweeps:
- Survey 2026-05-03
MLflow Tracking Server on Public Cloud: Auth Posture Survey
Mass-scan of port 5000 across 28 cloud-provider /16 ranges (DO/Hetzner/Vultr) returned 12,106 hits → fingerprinted via /version + /api/2.0/mlflow/experiments/search body match → 11 confirmed MLflow Tracking Server instan…
- Survey 2026-05-03
n8n on Public Cloud: Auth Posture Survey
Sweep of 1.83M IPs across 28 cloud-provider /16 ranges (DigitalOcean, Hetzner, Vultr) on port 5678 → 5,885 live hosts → 1,006 confirmed n8n instances via /rest/settings → "timezone" fingerprint. Zero unauthenticated, exp…
- Survey 2026-05-03
Ollama on Public Cloud: Auth Posture Survey
Mass-scan of port 11434 (Ollama's default) across 28 cloud-provider /16 ranges (DO/Hetzner/Vultr) → 882 hits → 342 confirmed Ollama instances, all unauthenticated (Ollama has no authentication concept, the framework does…
- Survey 2026-05-03
Open WebUI on Public Cloud: Auth Posture Survey
Reused the 20,581 port-3000 hits from the prior Flowise sweep and re-fingerprinted them for Open WebUI (the popular Ollama / OpenAI-compatible chat frontend) via GET /api/version body match ({"version":"0.x.x"}) plus /ap…
- Survey 2026-05-03
Qdrant on Public Cloud: Auth Posture Survey
Sweep of 1.83M IPs across 28 cloud-provider /16 ranges (DigitalOcean, Hetzner, Vultr) on port 6333 → 9,462 live hosts (partial scan, killed at 40% coverage) → 151 masscan hits → 61 confirmed Qdrant instances via /collect…
- Survey 2026-05-03
Streamlit Data Apps on Public Cloud: Auth Posture Survey
Mass-scan of port 8501 (Streamlit's default) across 28 cloud-provider /16 ranges (DO/Hetzner/Vultr) returned 1,389 hits → fingerprinted via /stcore/host-config → 551 confirmed Streamlit apps, all unauthenticated (useExte…
- Synthesis paper 2026-05-03
The Modern AI Stack Ships Open: Cross-Survey Synthesis
Across thirteen distinct platform classes, vector databases, model-serving inference servers, MLOps tracking, image generation, agent platforms, chat UIs, data apps, and orchestration tools, surveyed by mass-scanning 28…
- Survey 2026-05-03
NVIDIA Triton Inference Server on Public Cloud: Auth Posture Survey
Reused the 22,765 port-8000 hits from the prior ChromaDB sweep and fingerprinted them for NVIDIA Triton Inference Server (GET /v2 body match "name":"triton"). 2 confirmed Triton instances, both unauthenticated, both on D…
- Survey 2026-05-03
vLLM / OpenAI-Compatible LLM Inference Servers on Public Cloud: Auth Posture Survey
Reused the 22,765 port-8000 hits from the prior ChromaDB sweep and fingerprinted them for OpenAI-compatible LLM inference servers via GET /v1/models body match ({"object":"list","data":[{"object":"model",...}]}). 44 conf…
- Engagement record Commercial 2026-05-03
Auto F&I Sales Training RAG: Customer Dialogues + Methodology IP Exposed via Unauthenticated ChromaDB
A ChromaDB instance on a DigitalOcean VPS exposes three RAG collections used to train an auto-dealership F&I (Finance & Insurance) sales agent. The collections contain real customer dialogue transcripts (with first names…
- Engagement record Commercial 2026-05-03
Crypto Investment Agent: Per-User Financial Memory Exposed via Unauthenticated ChromaDB
A ChromaDB instance on a DigitalOcean VPS exposes a Spanish-language crypto investment AI agent's full vector memory: 12 collections holding the CoinGecko API documentation corpus, a 15,560-token cryptocurrency reference…
- Engagement record Commercial 2026-05-03
HolaModa + Delta701: Multi-Tenant Fashion Retail RAG with Dev/Prod Co-Located on Unauth ChromaDB
A ChromaDB instance on a DigitalOcean VPS holds 1.53M embedded documents across seven collections, spanning two tenants (HolaModa and Delta701) and mixing development with production environments on the same database. Al…
- Engagement record Commercial 2026-05-03
Brazilian Banking-Compliance AI Consultant: Unauthenticated Qdrant with BCB / LGPD Methodology Corpus
A Qdrant instance on a DigitalOcean VPS exposes an unauthenticated endpoint with a collection schema consistent with a RAG-backed legal casework or compliance investigation platform. Collections include investigationdata…
- Engagement record Commercial 2026-05-03
Multi-Tenant Personal Document SaaS: Diary, Theater Scripts, Philosophy via Unauth ChromaDB
A ChromaDB instance on a DigitalOcean VPS exposes three CUID-named collections (corpuscln) representing the personal document corpora of three users on what appears to be a multi-tenant document-RAG SaaS. The contents ra…
- Engagement record Commercial 2026-05-03
Unknown Operator: Pingu Crypto Trading AI + Nova Molecular Optimization: Live Strategy IP Exposed via Unauthenticated Qdrant
A single Qdrant instance on a Vultr host exposes two parallel autonomous AI agent systems without authentication. The first, "Pingu", is a live crypto trading AI with active positions, real PnL history, and multi-paragra…
- Engagement record Commercial 2026-05-03
tweet-optimize.com: 1.21M Facial Embeddings (OnlyFans + Second Dataset) Exposed Unauth on Milvus
- Engagement record Commercial 2026-05-03
sanctionscanner.com: Turkish AML/KYC Compliance SaaS: 79M KYB Records + Live Client Monitoring Exposed
sanctionscanner.com is a Turkish AML/KYC compliance SaaS serving financial institutions. Their production Elasticsearch cluster, three nodes, was reachable on port 9200 with xpack.security.enabled=false and no network fi…
- Engagement record Commercial 2026-05-03
Watzis / Calmio: Vietnamese AI Assistant: PII Memory Store Exposed via Unauthenticated Qdrant
A production multi-user Vietnamese AI assistant, likely operating under the "Watzis" or "Calmio" brand, runs a Mem0-backed long-term memory stack on a Vultr VPS with no authentication on port 6333. The Qdrant instance st…
- Engagement record Universities 2026-05-03
University of Dhaka: Coding Cluster, 3 Cloud Proxies, Embedding Pipeline
University of Dhaka (AS137359) exposes an Ollama instance focused on software development AI tooling: multiple code-specialized models, a high-quality multilingual embedding model (bge-m3), and three cloud proxy subscrip…
- Engagement record Universities 2026-05-03
University of Alberta: CS Dept GPU Server, gpt-oss:120b, Coding Stack
lula.cs.ualberta.ca (129.128.243.184), University of Alberta Computer Science department, runs Ollama v0.21.1 with 5 models including gpt-oss:120b (65GB, 116.8B parameters) and qwen2.5-coder:32b, indicating an active cod…
- Engagement record Universities 2026-05-03
China Telecom Tianjin: 46-Node Multi-Tenant Ollama Cluster
China Telecom's Beijing-Tianjin-Hebei Big Data Industry Park (Tianjin, AS141679) hosts at least 46 cloud VM instances running Ollama on port 11434 without authentication. All discovered through a Shodan org:"institute" s…
- Engagement record Universities 2026-05-03
University of Nicosia: DeepSeek V4 Pro Cloud Proxy, Unauthenticated Inference
82.116.203.130 (University of Nicosia / Intercollege, Cyprus, CYNET) runs Ollama v0.17.0 with deepseek-v4-pro:cloud listed in the model inventory. Cloud inference returned "ollama cloud is disabled: remote model is unava…
- Engagement record Universities 2026-05-03
Forskningsnettet (Danish Research and Education Network): Two Nodes, v0.3.0 Ancient + v0.22.0 Current
Two Ollama nodes in Aalborg, Denmark on AS1835 Forskningsnettet (the Danish national research and education network). One node (130.225.39.157) runs Ollama v0.3.0, a pre-release build from late 2023, making it one of the…
- Engagement record Universities 2026-05-03
Agricultural University of Athens: 142GB Qwen3-235B MoE, Dual-Embedding RAG
afa4pc19.aua.gr (143.233.187.19), Agricultural University of Athens (Γεωπονικό Πανεπιστήμιο Αθηνών, AUA), runs Ollama v0.18.2 with a 5-model stack anchored by qwen3:235b-a22b-instruct-2507-q4KM, the Qwen3 235B MoE model…
- Engagement record Universities 2026-05-03
Institut Teknologi Bandung (ITB): 22 Models, Custom Indonesian Education AI
Institut Teknologi Bandung's LSKK (Laboratorium Sistem Komputer dan Kecerdasan Buatan, Computer Systems and AI Lab, Electrical Engineering) exposes Ollama at lskk-20.ee.itb.ac.id (167.205.66.20) with 22 models. The stack…
- Engagement record Universities 2026-05-03
University of Indonesia: Unauthenticated Ollama Node
The University of Indonesia (Universitas Indonesia, UI) exposes one Ollama node at 152.118.31.61 (Depok, West Java, AS3382). The instance runs an ancient Ollama build (v0.5.4-dirty) and hosts llama3.2:3b. Open WebUI v0.5…
- Engagement record Universities 2026-05-03
Kumamoto University: Account Takeover, MiniMax Cloud Proxy (CS Architecture Lab)
scorpio.arch.cs.kumamoto-u.ac.jp (133.95.140.141), Kumamoto University Computer Science department (Architecture lab, arch.cs), runs Ollama v0.12.7 with a live Ollama Connect account takeover. The MiniMax M2.7 cloud prox…
- Engagement record Universities 2026-05-03
Waseda University: Account Takeover (`tokoko`), Custom DeepSeek Academic/JP Models, qwen3-vl:235b
Waseda University (tokoko.human.waseda.ac.jp, 133.9.184.47) exposes Ollama with 10 models including a live Ollama Connect account takeover. The username is tokoko, a human-chosen name, not a container ID or MAC address,…
- Engagement record Universities 2026-05-03
University of Rwanda: Qwen3.5 + Qwen3.6 27B, College of Education Campus
154.68.72.29 (University of Rwanda, College of Education Campus, Kigali) runs Ollama with qwen3.5:27b and qwen3.6:27b accessible without authentication. This is the first Sub-Saharan Africa (excluding Kenya) university f…
- Engagement record Universities 2026-05-03
Technical University of Košice: MedGemma 54GB, Abliterated Qwen3.6-35B, Turkish LLM, RAG Stack
prometheus.fei.tuke.sk (147.232.40.80), Faculty of Electrical Engineering and Informatics at the Technical University of Košice (TUKE), Slovakia, runs Ollama v0.11.11 with 24 models including two quantizations of Google…
- Engagement record Universities 2026-05-03
National Chengchi University: Taiwan National AI Models (TAIDE) Exposed on V100×4 Server
National Chengchi University (政治大學) Computer Science department has a 4× NVIDIA V100 GPU server (V100x4.cs.nccu.edu.tw, 140.119.163.219) with Ollama exposed on port 11434 without authentication. The server hosts Taiwan's…
- Engagement record Universities 2026-05-03
National Tsing Hua University: TAIDE-NPC Model, Qwen3.6:35b
National Tsing Hua University (清華大學, NTHU) node sd197130.shin34.ab.nthu.edu.tw (140.114.197.130) runs Ollama v0.22.0 (current release) with two models, qwen3.6:35b and taide-npc:latest. The taide-npc model is a notable f…
- Engagement record Universities 2026-05-03
National Taiwan University: CSIE MVNL Lab, Llama-3.3-70B vLLM (FP8, 2-Engine)
mvnl-nas.csie.ntu.edu.tw (140.112.91.209) in NTU's Computer Science and Information Engineering (CSIE) department exposes vLLM on port 8080 serving nvidia/Llama-3.3-70B-Instruct-FP8, NVIDIA's FP8-quantized Llama 3.3 70B,…
- Engagement record Universities 2026-05-03
TANet Abliterated Model Cluster: `gemma4-crack-fixed`, Multiple Safety-Bypassed Models
A Taiwan Academic Network node at 120.126.16.144 (AS1659 TANet, Taipei, no rDNS) runs a concentrated cluster of abliterated, uncensored, and jailbreak-labeled models on Ollama v0.20.3. The most notable model is gemma4-cr…
- Engagement record Universities 2026-05-03
Taiwan Ministry of Education Computer Center (TANet): Account Takeover, Default `ollama` Credentials
A TANet-hosted node (AS1659 Taiwan Academic Network Information Center, Taipei) exposes Ollama with two cloud proxy subscriptions and a live account takeover, the Ollama Connect account name is the default ollama, indica…
- Engagement record Universities 2026-05-03
Binh Duong University: Account Takeover, Contabo VPS (`itu.edu.vn`)
A server with hostname itu.edu.vn (94.136.191.179) running Ollama on Contabo GmbH VPS infrastructure has a live Ollama Connect account takeover. The hostname references the International University (IU Vietnam) or Binh D…
- Engagement record Universities 2026-05-03
UC Berkeley: Residential Hall Machine, qwen2.5:32b Public
lal-99-178.reshall.berkeley.edu (169.229.99.178), a machine on UC Berkeley's residential hall network, runs Ollama v0.11.10 with qwen2.5:32b (19GB) exposed on port 11434. The reshall.berkeley.edu subdomain indicates stud…
- Engagement record Universities 2026-05-03
UC Berkeley: Course AI Assistant, Unauthenticated Memory Injection
roar-art.EECS.Berkeley.EDU (128.32.43.210) runs a production FastAPI service called "Course AI Assistant API" serving AI-assisted tutoring across EECS courses. The /api/chat/memory-synopsis endpoint is completely unauthe…
- Engagement record Universities 2026-05-03
UC Berkeley: vLLM 4-Node Research Cluster, SecAlign + Nemotron
Four vLLM nodes on UC Berkeley's research computing network (128.32.0.0/16) expose OpenAI-compatible inference APIs without authentication. The most significant node (128.32.112.120) serves facebook/Meta-SecAlign-8B, Met…
- Engagement record Universities 2026-05-03
University of California, San Diego (UCSD): Large Local Models + Cloud Proxies
University of California San Diego (AS26397, The Regents of the University of California) exposes an Ollama instance with 7 models including qwen3.5:35b (22GB), gpt-oss:120b (61GB), and two cloud proxy subscriptions (dev…
- Engagement record Universities 2026-05-03
Purdue University (main campus): Account Takeover on n8n Workflow Automation Server
Purdue University main campus (West Lafayette, IN) exposes an Ollama instance at n8n.tap.purdue.edu, the reverse DNS reveals this is a Purdue n8n workflow automation deployment. n8n is a self-hosted AI workflow tool that…
- Engagement record Universities 2026-05-03
University of Maine: 69GB Uncensored 122B Model + 18 Cloud Subscriptions, ECE Server
University of Maine's Electrical and Computer Engineering (ECE) department runs an Ollama server at ECE-Ubuntu-02.um.maine.edu (Orono, AS557) with 21 models: 18 cloud proxy subscriptions and 3 local models including a 69…
- Disclosure CRITICAL sent 2026-05-03
In Shiv Nadar
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-03
Bind to localhost:
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-03
Bind to localhost (recommended for research cluster):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Engagement record Other 2026-05-02
Government AI Infrastructure Exposures
Unauthenticated Ollama instances discovered on government networks. Identified via hostname TLD filtering (.gov, .go.id, .gov.br, .gov.tw, .mil, etc.).
- Engagement record Government 2026-05-02
Indonesia Government Cluster: 5-Node Survey, 2 Account Takeovers
Five Indonesian government Ollama nodes confirmed live across .go.id infrastructure. Two provincial government nodes have live Ollama Connect account takeover URLs. The cluster spans national, provincial, and regency tie…
- Engagement record Government 2026-05-02
Pemerintah Provinsi Kalimantan Utara: Account Takeover, Claude-Distilled Model
The North Kalimantan Province Government (Pemerintah Provinsi Kalimantan Utara) exposes an Ollama node at ip-103-156-110-80.kaltaraprov.go.id (103.156.110.80). The node runs cloud proxy subscriptions and a live account t…
- Engagement record Government 2026-05-02
DINAS KOMINFO PROV. JAWA TENGAH: Account Takeover, RAG Pipeline
The Central Java Province Communications and Information Technology Department (Dinas Kominfo Prov. Jawa Tengah) exposes an Ollama node at sijoli-11-245-107.jatengprov.go.id (103.107.245.11) on the Indonesian government…
- Engagement record Government 2026-05-02
AWS GovCloud: Unauthenticated Ollama, Custom JOSIE AI, DeepSeek + MiniMax Cloud Proxy
An Ollama node at ec2-16-64-116-67.us-gov-east-1.compute.amazonaws.com (16.64.116.67) runs in AWS GovCloud (us-gov-east-1), the AWS region reserved for US government agencies and their contractors. The node runs 10 model…
- Engagement record Universities 2026-05-02
Bangladesh Research and Education Network (BdREN): Unauthenticated Inference Node
The Bangladesh Research and Education Network (BdREN), the national research and education network of Bangladesh, exposes one Ollama node on 203.96.189.126. Seven models including Mistral, Llama 3.x, and Gemma2 are acces…
- Engagement record Universities 2026-05-02
"No. 18 Institute of Jingdong HQ": 26-Node Cluster, China Unicom
A 26-node Ollama cluster on China Unicom's 111.228.0.0/16 range, all registered to org eleven street,No. 18 Institute of Jingdong headquarters. The org name reads as a Chinese physical address (Jingdong district, No. 18…
- Engagement record Universities 2026-05-02
Algerian Academic Research Network (ARN): Unauthenticated Inference Node
Algeria's national academic research network exposes one Ollama node (193.194.91.182) with two models including SmolLM2 with a live system prompt.
- Engagement record Universities 2026-05-02
Informatics and Telematics Institute (ITI): Mistral Small 24B, vcl.iti.gr
The Information Technologies Institute (ITI), part of CERTH (Centre for Research and Technology Hellas), Greece's largest national research centre, exposes one Ollama node (vcl.iti.gr, 195.251.117.101) running Mistral Sm…
- Engagement record Universities 2026-05-02
India NIB (National Internet Backbone / BSNL): 2-Node Cluster, 32B Coder
Two Ollama nodes on India's National Internet Backbone (NIB), operated by BSNL (Bharat Sanchar Nigam Limited), India's state-owned telecom. Node 2 (static.ill.117.251.22.196.bsnl.co.in) runs a 32B coding model alongside…
- Engagement record Universities 2026-05-02
Kyungpook National University: 3-Node Cluster, Multimodal AI
Kyungpook National University (KNU, Daegu, South Korea) exposes three Ollama nodes on the public internet. Together the nodes span vision-language models (qwen3-vl:32b, llava), a custom community quantization (VladimirGa…
- Engagement record Universities 2026-05-02
Morocco ONPT: National Telecom Operator Ollama Node
Office National des Postes et Télécommunications (ONPT), Morocco's national postal and telecommunications operator, exposes one Ollama node (160.174.129.120) with a single model. ONPT operates Morocco's national communic…
- Engagement record Universities 2026-05-02
Malaysia Ministry of Education (EMISC): Unauthenticated Ollama Node
Malaysia's Ministry of Education Education Management Information System Centre (EMISC) exposes one Ollama node (203.172.144.85) with two models. EMISC manages the national school and education data infrastructure for Ma…
- Engagement record Universities 2026-05-02
ICI Bucharest: 2-Node Cluster, Cloud Proxy + Abliterated Models
Institutul National de Cercetare-Dezvoltare în Informatică (ICI Bucharest), Romania's national IT research institute, exposes two Ollama nodes. Node 1 (85.122.129.92) runs cloud proxy subscriptions (DeepSeek, MiniMax). N…
- Engagement record Universities 2026-05-02
Taiwan Academic Network (TANet): 18-Node Cluster, 1 Account Takeover, Multi-Institution
The Taiwan Ministry of Education Computer Center operates TANet (Taiwan Academic Network), the national IP allocation backbone for all Taiwan universities. The institute sweep found 18 live Ollama nodes across the TANet…
- Engagement record Universities 2026-05-02
California Institute of Technology (Caltech): GPT-OSS 120B, RAG Pipeline
A Caltech node (yertle.caltech.edu, 131.215.141.46) exposes Ollama with 6 models including gpt-oss:120b (OpenAI's 120B open model, 65.4GB) and a RAG pipeline stack (two embedding models). The hostname yertle references t…
- Survey 2026-05-01
AI Safety Evaluation / Red-Team Self-Hosted: Cross-Cloud Survey (2026-05)
The original probe, data/aisafety-probe.py, used naked single-word substring matching on response bodies (b"garak" in body.lower(), b"deepeval" in text or b"confident" in text). At population scale across 1,017 cloud pre…
- Survey 2026-05-01
Browser Automation / Agent Backends: Cross-Cloud Survey (2026-05)
Browser-automation backends (Browserless, Playwright server, Puppeteer remote, Selenium Grid, Skyvern) underpin AI agent stacks: the agent navigates websites, scrapes content, fills forms, and harvests data via these bac…
- Survey 2026-05-01
Data Labeling / Annotation Servers: Cross-Cloud Survey (2026-05)
Data-labeling and annotation servers (Argilla, LabelStudio, Prodigy, doccano, CVAT) sit at the input boundary of every supervised-learning ML pipeline. They host the raw data being labeled, frequently real customer PII,…
- Survey 2026-05-01
Embedding Services: Cross-Cloud Survey (2026-05)
Embedding servers are the vector-conversion layer between raw text and vector databases. They ingest documents or queries and return dense float vectors; without them, RAG pipelines and semantic search cannot run. Every…
- Survey 2026-05-01
LLM Gateways / OpenAI-Compatible Proxies: Cross-Cloud Survey (2026-05)
LLM gateway / OpenAI-compat proxy products sit between LLM applications and upstream providers. They normalize multiple provider APIs (Anthropic, OpenAI, Cohere, Together, etc.) behind a single OpenAI-compatible interfac…
- Survey 2026-05-01
Model Context Protocol (MCP) Servers: Cross-Cloud Survey (2026-05)
Model Context Protocol (MCP) was published by Anthropic in late 2024 as a standard for connecting LLMs to tools, filesystems, and databases. The protocol was designed for stdio (in-process) transport, but the ecosystem r…
- Survey 2026-05-01
RAG Framework Servers: Cross-Cloud Survey (2026-05)
RAG (Retrieval-Augmented Generation) framework servers sit between vector databases and LLM clients. They orchestrate the document-ingestion → chunking → embedding → retrieval → context-injection pipeline. The vector DB…
- Survey 2026-05-01
Case Study: Ollama Unauthenticated Exposure: Enterprise Targets
During authorized AI infrastructure reconnaissance on 2026-05-01, Shodan enumeration of exposed Ollama instances (port 11434) identified a cluster of enterprise and critical-infrastructure deployments running versions co…
- Engagement record Commercial 2026-05-01
emails-pro.fr: French Commercial Appointment-Booking SaaS: Full System Prompt + PII Collection Pattern Exposed
A production French commercial appointment-booking AI assistant, rdv-bot:latest, is hosted on an IP attributed to the Romanian National Institute for R&D in Informatics (ICI Bucharest). The PTR record points to mail.emai…
- Engagement record Critical Infrastructure 2026-05-01
Thailand Ministry of Public Health: Unauthenticated Ollama with Vision Model
Thailand Ministry of Public Health server running Ollama with 5 models including IBM Granite Vision 2B. Raw Ollama port publicly accessible, no authentication. No cloud proxy. Sector: healthcare / government critical inf…
- Engagement record Critical Infrastructure 2026-05-01
City of Cartersville, GA: Local Government Ollama + Cloud Proxy Credential Leak
City of Cartersville, Georgia municipal server running Ollama on Windows with one active cloud proxy subscription (DeepSeek v4 Pro). Raw Ollama port publicly accessible, no authentication. Cloud proxy 401 response leaks…
- Engagement record Critical Infrastructure 2026-05-01
Meriwether Lewis Electric Cooperative: 235B-Parameter Model on Unauthenticated Ollama
Meriwether Lewis Electric Cooperative (rural electric utility, Tennessee) running a 235-billion-parameter Ollama instance with raw API port publicly accessible. No authentication. The model inventory, including a 132GB M…
- Engagement record K-12 2026-05-01
Chinese Primary School: Cloud Proxy Subscriptions + Credential Leak
An Experimental Primary School in China (Shodan org: "Experimental Primary School") is running Ollama with three cloud proxy subscriptions, DeepSeek V4 Pro, Devstral-2 (123B), and MiniMax M2.7, alongside a RAG pipeline (…
- Engagement record K-12 2026-05-01
hts.k12.nj.us: NJ K-12 Open WebUI + Ollama Exposure
A New Jersey K-12 school district server running Open WebUI v0.8.8 backed by Ollama v0.17.5 was found with the raw Ollama API port (11434) exposed to the public internet alongside the authenticated Open WebUI frontend (p…
- Engagement record Universities 2026-05-01
Institute for Informatics and Automation Problems, Armenia: Dual Cloud Proxy + Docker Credential Leak
The Institute for Informatics and Automation Problems of the National Academy of Sciences of Armenia (Yerevan) is running Ollama inside a Docker container with two cloud proxy subscriptions. The 401 response leaks Docker…
- Engagement record Universities 2026-05-01
Monash University: 3-Node Cluster, DeepSeek V3.1 671B, Cloud Proxies
Monash University (Melbourne, Australia) exposes three Ollama nodes on the 118.138.0.0/16 ERC subnet. The primary node (vm-118-138-233-225.erc.monash.edu.au) carries a full DeepSeek V3.1 671B (376.7GB), largest local mod…
- Engagement record Universities 2026-05-01
University of Newcastle, Australia: DeepSeek Cloud Proxy + RAG Pipeline
University of Newcastle (Australia, Callaghan campus) server with deepseek-v4-pro:cloud cloud proxy subscription and mxbai-embed-large:latest embedding model indicating an active RAG pipeline. Raw Ollama port publicly ac…
- Engagement record Universities 2026-05-01
CEFET/RJ (Centro Federal de Educação Tecnológica Celso Suckow da Fonseca): 17-Model Brazilian Portuguese AI Stack
Brazil's CEFET/RJ (Federal Center for Technological Education Celso Suckow da Fonseca) has an Ollama instance with 17 models, including custom Brazilian Portuguese fine-tunes and a 39GB DeepSeek-R1:70B local model. No au…
- Engagement record Universities 2026-05-01
University of Manitoba: CS Department GPU Server, Deep Research Stack
The Computer Science department at the University of Manitoba (quail.cs.umanitoba.ca) is running Ollama with five large local models including DeepSeek-R1:70B, Llama 3.3, and Llama 3:70B, a deep research stack totaling 1…
- Engagement record Universities 2026-05-01
University of Western Ontario: 2-Node Cluster, Account Takeover on Node 2
University of Western Ontario (London, Ontario) Engineering faculty runs two Ollama nodes on its eng.uwo.ca subnet. Node 1 (WE-D-ECE-0288) has 9 models with cloud proxy (no credential exposure). Node 2 (ebithp-c1v17) exp…
- Engagement record Universities 2026-05-01
Shandong Medical Graduate School: 376GB DeepSeek + Abliterated R1-Distill + Credential Leak
A Shandong Province medicine video graduate school (China) is running Ollama with the 376GB local DeepSeek V3 model (identical stack to Shiv Nadar University, India), an abliterated DeepSeek-R1-Distill-Qwen-32B reasoning…
- Engagement record Universities 2026-05-01
Brno University of Technology: Abliterated Gemma + Bulgarian GPT + RAG Pipeline
Brno University of Technology (VUT Brno), Czech Republic, is running Ollama on a Faculty of Mechanical Engineering server with an abliterated Gemma 3 model (safety fine-tuning removed), two variants of a Bulgarian-langua…
- Engagement record Universities 2026-05-01
University of Hertfordshire: RobotHouse Dev Server, gpt-oss Cloud Proxy 200 OK
A development server at the University of Hertfordshire's RobotHouse facility (robothouse-dev.herts.ac.uk) is running Ollama with gpt-oss:latest cloud proxy returning 200 OK without credentials, free-tier cloud quota con…
- Engagement record Universities 2026-05-01
Technical University of Crete + NTUA: Unauthenticated Ollama, MiniMax Cloud, 235.7B Model
- Username: arian - SSH pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASZr/fN5P73o/WF6vT/owMFz3ftTeBlzOpEFpS2QStP - Cloud proxy: minimax-m2.7:cloud (MiniMax API subscription)
- Engagement record Universities 2026-05-01
University of Crete Medical Center: Dual-Embedding RAG Pipeline
The University of Crete Medical Center (centaur.med.uoc.gr) is running Ollama with a sophisticated dual-embedding RAG pipeline, both mxbai-embed-large and nomic-embed-text are deployed alongside large language models (Ll…
- Engagement record Universities 2026-05-01
Shiv Nadar University: 7-Node Cluster, Chest X-Ray AI + Abliterated Models + 30+ Cloud Subscriptions
Shiv Nadar Institution of Eminence (India, Noida) runs a 7-node shared AI cluster with all nodes exposed on 0.0.0.0:11434. The cluster grew from 3 nodes (2026-05-01) → 5 nodes (2026-05-03 morning) → 7 nodes (2026-05-03 e…
- Engagement record Universities 2026-05-01
Keio University: Unauthenticated Ollama, Dual Cloud Proxy, 122B Model
Keio University (Japan) server with 8 Ollama models including two DeepSeek cloud proxy subscriptions and a 122-billion-parameter Qwen3.5 MoE model. Raw Ollama port publicly accessible without authentication. Cloud proxie…
- Engagement record Universities 2026-05-01
Jomo Kenyatta University of Agriculture and Technology: Cloud Proxy Exposure
Jomo Kenyatta University of Agriculture and Technology (JKUAT), Kenya, is running an Ollama instance on campus with a MiniMax cloud proxy subscription publicly accessible without authentication. One local model alongside…
- Engagement record Universities 2026-05-01
KRENA (Kyrgyz Research and Education Network): 433GB GLM-5.1, DeepSeek Cloud Proxy
The Kyrgyz Research and Education Network (KRENA) has an Ollama instance exposed on port 11434 running a 433GB quantized GLM-5.1 model, the largest single local model observed in this research. The instance also carries…
- Engagement record Universities 2026-05-01
INHA University: Ollama Stack + vLLM Node
INHA University (인하대학교) in Incheon has two independent unprotected AI inference nodes: an Ollama instance (165.246.39.51) with 7 models totalling 133GB including gpt-oss:20b and dual Nemotron-Cascade 30B, and a separate…
- Engagement record Universities 2026-05-01
POSTECH: 11-Node Cluster, 18+ Cloud Subscriptions, 6 Account Takeovers + Synchrotron Beamline + Essential AI Model
Pohang University of Science and Technology (POSTECH) has a 9-node cluster spanning the BSP (Brain Science Platform) LAN and the Pohang Accelerator Laboratory (PAL) 4th-generation synchrotron network. The primary server…
- Engagement record Universities 2026-05-01
Seoul National University: 3-Node Cluster, Cloud Proxy + Credential Leak (user: node1)
Seoul National University (SNU, 서울대학교) has three Ollama instances on the 147.47.0.0/16 campus block. Node 1 (147.47.200.153) carries cloud proxy subscriptions and leaks Ollama Connect credentials. Nodes 2 and 3 (147.47.2…
- Engagement record Universities 2026-05-01
Yonsei University: 17 Cloud Subscriptions on Non-Standard Port, Free-Tier 200 OK
Yonsei University (Seoul, South Korea) is running Ollama on non-standard port 5004 with 17 cloud proxy subscriptions matching the pattern seen at POSTECH, Shiv Nadar, Hanoi University, and RIT. minimax-m2.1:cloud returns…
- Engagement record Universities 2026-05-01
Lanka Education and Research Network (LEARN): Credential Leak (user: modelserver)
Sri Lanka's academic network (LEARN, Lanka Education and Research Network) has an Ollama instance at 192.248.70.139 with a deepseek-v4-pro:cloud subscription and llama3.2-vision. The cloud proxy 401 response leaks the Ol…
- Engagement record Universities 2026-05-01
COMSATS University: Medical AI Models, Kimi Cloud Proxy
COMSATS (Commission on Science and Technology for Sustainable Development in the South), an intergovernmental international organization with a university campus network, has an Ollama instance with two MedGemma medical…
- Engagement record Universities 2026-05-01
Technical University of Łódź (TUL): DeepSeek-R1:32B, Cross-Network Custom Model
Technical University of Łódź (Politechnika Łódzka) has an Ollama instance on xray02.p.lodz.pl with 3 models including a 20GB DeepSeek-R1 and lukashabtoch/plutotext-r3-emotional:latest, the same custom emotional-roleplay…
- Engagement record Universities 2026-05-01
ITMO University, Russia: 24 Models, gpt-oss:20b + gpt-oss:120b Cloud Proxies
ITMO University (Saint Petersburg, Russia) has an Ollama instance with 24 models including frontier models (Llama 4, Qwen 2.5 VL 72B, Kimi-Dev-72B) and gpt-oss:20b / gpt-oss:120b cloud proxies. No credential leak detecte…
- Engagement record Universities 2026-05-01
KTH Royal Institute of Technology: Dual-Node Unauthenticated Ollama, Abliterated Model Running as Root
KTH Royal Institute of Technology (Stockholm) has two separate servers running unauthenticated Ollama with DeepSeek v4 Pro cloud proxy subscriptions. One node hosts an "abliterated" (safety-fine-tuning-removed) Gemma mod…
- Engagement record Universities 2026-05-01
Umeå University: GPU Research Server (gpuhost02)
Umeå University (Sweden) has a named GPU compute server (gpuhost02.cs.umu.se) running Ollama with a large reasoning model (qwen3.6:35b) publicly accessible without authentication. Part of the Computer Science department…
- Engagement record Universities 2026-05-01
University of Žilina: Student Laptop with 3 Free-Tier Cloud Proxies (200 OK)
A student laptop at the University of Žilina (Slovakia, Faculty of Mechanical Engineering) has Ollama bound to 0.0.0.0 with three Ollama Connect cloud proxy models all returning 200 OK without credentials. The cloud prox…
- Engagement record Universities 2026-05-01
Chulalongkorn University: Three Cloud Proxies + Credential Leak (Kimi K2.6, DeepSeek, Qwen)
Chulalongkorn University (Thailand, ranked 1 in Southeast Asia) server with 12 Ollama models including three cloud proxy subscriptions: DeepSeek v4 Pro, Kimi K2.6 (Moonshot AI), and Qwen3-Coder-Next. All three 401 respon…
- Engagement record Universities 2026-05-01
Thailand Ministry of Public Health: Unauthenticated Inference, Vision Models
Thailand's Ministry of Public Health (MoPH) has an Ollama instance at 203.157.41.151 with 5 models publicly accessible, including granite3.2-vision:2b (IBM's vision-language model) and qwen3.6:35b (22GB). No authenticati…
- Engagement record Universities 2026-05-01
Fu Jen Catholic University: Medical Public Health GPU Server, 75GB + 60GB Local Models
Fu Jen Catholic University's Medical and Public Health department (user220.medph.fju.edu.tw) has an Ollama instance exposed on port 11434 with 8 models totalling over 200GB of local inference capacity, including a 75GB m…
- Engagement record Universities 2026-05-01
National Cheng Kung University (NCKU): RTX 3090 GPU Server, Non-Standard Port, Credential Leak
National Cheng Kung University (NCKU), one of Taiwan's top engineering universities, has an Ollama instance running on non-standard port 22222. The MiniMax cloud proxy leaks the Ollama Connect account nckusoc-3090, indic…
- Engagement record Universities 2026-05-01
NCU / TANet Taoyuan: Production Medical Scheduling SaaS System Prompt Fully Exposed
A server on the TANet Taoyuan Regional Network (National Central University segment, 163.25.105.115) hosts two custom Ollama models, aiden-deepseek:latest and aiden:latest, that are the AI backend of Aiden Assistant, a p…
- Engagement record Universities 2026-05-01
National Taiwan University: GPU Cluster g1pc2n108, Multimodal Vision Stack
NTU's GPU cluster node g1pc2n108.g1.ntu.edu.tw (140.112.233.108) has Ollama exposed on port 11434 with 11 models skewed heavily toward vision and multimodal tasks, including GLM-OCR, GLM-4.7-Flash, MiniCPM-V, LLaVA, and…
- Engagement record Universities 2026-05-01
Hanoi University: 18 Cloud Proxy Subscriptions + Credential Leak (Containerized Deployment)
Hanoi University (Vietnam) running a 31-model Ollama instance with 18 active cloud proxy subscriptions. Cloud proxy 401 response leaks Ollama Connect credentials, username 04aa6fb5e0b8 is a Docker container ID, confirmin…
- Engagement record Universities 2026-05-01
Vietnam National University Hanoi: Domain-Specific Distilled Models
Vietnam National University Ha Noi has an Ollama instance with domain-specific fine-tuned models for legal (CaseHold), biomedical (PubMedQA), and financial (FinQA) question answering, indicating active NLP research pipel…
- Engagement record Universities 2026-05-01
Vietnam National University Ho Chi Minh City: final-exploit-v1 + gpt-oss Cloud Proxy
Vietnam National University Ho Chi Minh City (Information Technology Park) has an Ollama instance with an unusually named model final-exploit-v1:latest and a gpt-oss:latest cloud proxy. The final-exploit-v1 model is 168…
- Engagement record Universities 2026-05-01
UC Davis: Large Local Models + Claude 4.6 Opus-Distilled
University of California, Davis has an Ollama instance with Qwen3-Coder-Next (48GB), qwen3.5:122b-a10b (75GB), and, notably, moophlo/Qwen3.5-27B-Claude-4.6-Opus-Reasoning-Distilled-GGUF:latest, a model distilled from Cla…
- Engagement record Universities 2026-05-01
UC Santa Barbara: Open WebUI Auth Disabled + Local Username Leak
University of California, Santa Barbara "AI Lab" instance running Open WebUI v0.8.12 with authentication completely disabled. Any internet actor can enumerate models, read model configurations, and execute inference, no…
- Engagement record Universities 2026-05-01
Purdue University Northwest: 3-Node Cluster, Account Takeover, Live Cloud Proxies, Claude-Distilled Model
Purdue University Northwest has 3 nodes across the 163.245.x.x subnet, all with cloud proxy subscriptions. Node 2 (163.245.207.105) exposes live Ollama Connect credentials, account takeover 5a9d376f9c56. Node 1 (163.245.…
- Engagement record Universities 2026-05-01
Duke University: Unauthenticated Agentic Ollama with File Inspection Tools
Duke University server running Ollama with two agent-configured variants of Qwen 3.6-27B, both with system prompts instructing file-inspection behavior and native function-calling enabled. Raw Ollama port publicly access…
- Engagement record Universities 2026-05-01
Columbia University: Unauthenticated Ollama + Cloud Proxy Credential Leak
Columbia University server running Open WebUI v0.8.12 (auth enabled) with raw Ollama API (port 11434) exposed to the public internet. One active cloud proxy subscription (DeepSeek) accessible without authentication. Clou…
- Engagement record Universities 2026-05-01
Rochester Institute of Technology: 4-Node Cluster, DGX with 18 Cloud Subscriptions, Student Machine with Abliterated Models
Rochester Institute of Technology (RIT) has four externally-accessible Ollama nodes on campus, including an NVIDIA DGX research server with 18 cloud proxy subscriptions (same subscription portfolio as POSTECH/Shiv Nadar/…
- Engagement record Universities 2026-05-01
SUNY Buffalo: Unauthenticated Ollama + Cloud Proxy Quota Hijack Confirmed
State University of New York at Buffalo research compute node running 26 Ollama models including gemma4:31b-cloud, a cloud proxy model. Cloud proxy inference confirmed live, 200 OK response at operator expense. Also incl…
- Engagement record Universities 2026-05-01
SUNY Stony Brook: Biology Department, OLMo Research Stack + Cloud Proxy
SUNY Stony Brook Biology Department server (040-218.bio.sunysb.edu) is running Ollama with the full Allen AI OLMo-3 research stack (olmo-3, olmo-3.1-32b-think, olmo-3.1-32b-instruct) alongside gpt-oss:latest cloud proxy…
- Engagement record Universities 2026-05-01
Syracuse University: IST R640 Server, Free-Tier Cloud Proxy on Port 12345
A Dell PowerEdge R640 server in Syracuse University's School of Information Studies (ist-r640-mafudge.syr.edu) is running Ollama on non-standard port 12345 with gemma4:31b-cloud returning 200 OK without credentials. Five…
- Engagement record Universities 2026-05-01
Virginia Polytechnic Institute and State University (Virginia Tech): DHCP Node
Virginia Tech has at least 4 Ollama-running IPs in Shodan; only h80adf308.dhcp.vt.edu (128.173.243.8) responds publicly. The DHCP hostname indicates a desktop or workstation on the campus DHCP pool rather than a dedicate…
- Disclosure CRITICAL bounced 2026-05-01
Am Armenian Academy
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Au Monash
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL acknowledged 2026-05-01
Au Newcastle
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Br Cefet Rj
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Ca Mb U Manitoba
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Ca On Western Ontario
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Cn Shandong Med
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Cz Brno Vutbr
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
System prompt injection
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Fr Emails Pro Rdv Bot
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
200 OK - "Hi! 👋" - operator quota consumed
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Gr Tech Crete Ntua
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Gr U Crete Medical
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure 2026-05-01
Disclosure Email Queue
Drafts generated from case studies. Send CRITICAL first, then HIGH, then LOW. Update Status column as emails are sent / acknowledged.
- Disclosure CRITICAL sent 2026-05-01
Jp Keio
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Ke Jkuat
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Kg Krena
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Kr Inha
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Kr Postech
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Kr Snu
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
200 OK - "Hi there! How can I help you today?"
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Lk Learn
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL bounced 2026-05-01
Pk Comsats
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Pl Lodz Tul
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL acknowledged 2026-05-01
Ru Itmo
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL fixed 2026-05-01
Se Kth
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Se Umea
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
200 OK, 48 tokens returned at operator expense
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Th Chulalongkorn
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Th Moph
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH bounced 2026-05-01
Tw Fju Medph
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Tw Ncku
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL fixed 2026-05-01
Overwrite Aiden Assistant system prompt
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH sent 2026-05-01
Tw Ntu Gpu
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH acknowledged 2026-05-01
Us Ca Ucdavis
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
No auth - direct inference
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
qwen3-coder-next:cloud - 4 tokens at operator expense
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Us Nc Duke
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
model injection (CVE-2025-63389):
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Us Ny Rit
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL misrouted 2026-05-01
→ 200 OK, response: "Buffalo", eval_count: 2
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Us Ny Suny Stony Brook
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL fixed 2026-05-01
200 OK - "Hello! How can I help you today?"
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Us Va Vt
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Vn Hanoi
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure HIGH bounced 2026-05-01
Vn Vnu Hanoi
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Disclosure CRITICAL sent 2026-05-01
Vn Vnu Hcmc
Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com
- Engagement record Universities 2025-63-01
Egypt NREN (ENSTINET): Custom Arabic Uncensored Models, Non-Standard Port, CVE-2025-63389
Egypt's National Research and Education Network (ENSTINET) has an Ollama instance on non-standard port 3005 hosting 11 models including three custom Arabic-language uncensored fine-tunes (HauhauCS-35B, HauhauCS-35B-Fixed…
No items match the current filter combination.