Per-instance engagement records across commercial, government, university, K-12, and critical-infrastructure sectors.https://nuclide-research.com/en-ushttps://nuclide-research.com/cases/case-studies--commercial--cat29-argo-2746-2026-06-07/https://nuclide-research.com/cases/case-studies--commercial--cat29-argo-2746-2026-06-07/Lane 1A of the 9-item 2026-06-07 plan. Goal: test whether port 2746 hosts an unauthenticated Shodan-dark tier among Argo Workflows operators whose :443 surface is gated by IAP/AzureAD. Method: parallel curl probes (5-second timeout) against https://<ip>:2746/api/v1/version for all 156 IPs surfaced via the ssl:"Argo Workflows" Shodan dork during the 2026-05-3…Sun, 07 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--cat29-argo-2746-2026-06-07.png" alt="Cat-29 Argo Workflows: :2746 probe sweep, 2026-06-07" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Lane 1A of the 9-item 2026-06-07 plan. Goal: test whether port 2746 hosts an unauthenticated Shodan-dark tier among Argo Workflows operators whose :443 surface is gated by IAP/AzureAD. Method: parallel curl probes (5-second timeout) against https://&lt;ip&gt;:2746/api/v1/version for all 156 IPs surfaced via the ssl:&quot;Argo Workflows&quot; Shodan dork during the 2026-05-3…</p> <p>Lane 1A of the 9-item 2026-06-07 plan. Goal: test whether port 2746 hosts an unauthenticated Shodan-dark tier among Argo Workflows operators whose :443 surface is gated by IAP/AzureAD. Method: parallel curl probes (5-second timeout) against https://&lt;ip&gt;:2746/api/v1/version for all 156 IPs surfaced via the ssl:&quot;Argo Workflows&quot; Shodan dork during the 2026-05-31 Cat-29 survey. Result: 156/156 connection timeouts. Zero HTTP responses on :2746.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--cat29-argo-2746-2026-06-07/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--dmarc-funding-stage-proxy-2026-06-07/https://nuclide-research.com/cases/case-studies--commercial--dmarc-funding-stage-proxy-2026-06-07/Date: 2026-06-07. Cohort: full NuClide AI-infrastructure vendor registry (MASTER-port-vendor-registry.csv, 435 vendor names, 410 unique apex domains resolved after dedup and OSS filtering). Probe: dig +short TXT dmarc.<domain>. Fully passive otherwise.Sun, 07 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--dmarc-funding-stage-proxy-2026-06-07.png" alt="DMARC Funding-Stage Proxy — Full-Registry Sweep N=410" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Date: 2026-06-07. Cohort: full NuClide AI-infrastructure vendor registry (MASTER-port-vendor-registry.csv, 435 vendor names, 410 unique apex domains resolved after dedup and OSS filtering). Probe: dig +short TXT dmarc.&lt;domain&gt;. Fully passive otherwise.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--dmarc-funding-stage-proxy-2026-06-07/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--mcp-crewai-negative-results-2026-06-07/https://nuclide-research.com/cases/case-studies--commercial--mcp-crewai-negative-results-2026-06-07/Two attempted same-day surveys produced no actionable findings — but the failure modes are themselves research-program-relevant. Both reveal classes of AI/LLM infrastructure that are not surveyable with the population-Shodan methodology that worked for the chat-UI / RAG / observability / autonomous-agent platform surveys.Sun, 07 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--mcp-crewai-negative-results-2026-06-07.png" alt="MCP Servers and CrewAI — Negative Results with Methodology Value" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Two attempted same-day surveys produced no actionable findings — but the failure modes are themselves research-program-relevant. Both reveal classes of AI/LLM infrastructure that are not surveyable with the population-Shodan methodology that worked for the chat-UI / RAG / observability / autonomous-agent platform surveys.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--mcp-crewai-negative-results-2026-06-07/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--librechat-deep-dive-verification-2026-06-06/https://nuclide-research.com/cases/case-studies--commercial--librechat-deep-dive-verification-2026-06-06/Deeper verification on the six notable finding clusters surfaced in the LibreChat population survey. Restraint maintained throughout: no registration, no LLM invocation, no account creation. Methods used: /api/config, /api/endpoints, PTR lookup, TLS cert inspection, WHOIS, marketing-site cross-reference.Sat, 06 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--librechat-deep-dive-verification-2026-06-06.png" alt="LibreChat Verification Deep-Dive — Notable Findings Re-Profiled" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Deeper verification on the six notable finding clusters surfaced in the LibreChat population survey. Restraint maintained throughout: no registration, no LLM invocation, no account creation. Methods used: /api/config, /api/endpoints, PTR lookup, TLS cert inspection, WHOIS, marketing-site cross-reference.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--librechat-deep-dive-verification-2026-06-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--velutina-service-ch-unauth-ml-training-server-2026-06-01/https://nuclide-research.com/cases/case-studies--commercial--velutina-service-ch-unauth-ml-training-server-2026-06-01/JAXEN returned 185.66.109.62 under a passive Shodan query for exposed AI/ML infrastructure on Swiss hosting ranges. The Shodan record showed:Mon, 01 Jun 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--velutina-service-ch-unauth-ml-training-server-2026-06-01.png" alt="Unauthenticated ML Training Server — velutina-service.ch" /></p> <p><strong>Sector:</strong> Commercial</p> <p>JAXEN returned 185.66.109.62 under a passive Shodan query for exposed AI/ML infrastructure on Swiss hosting ranges. The Shodan record showed:</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--velutina-service-ch-unauth-ml-training-server-2026-06-01/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--argo-workflows-darktier-2026-05-31/https://nuclide-research.com/cases/case-studies--commercial--argo-workflows-darktier-2026-05-31/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageSun, 31 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--argo-workflows-darktier-2026-05-31.png" alt="Dark-Tier Probe Result (Option A) — 2026-05-31" /></p> <p><strong>Sector:</strong> Commercial</p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--argo-workflows-darktier-2026-05-31/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--ncku-140116247125-edge-kubesphere-2026-05-31/https://nuclide-research.com/cases/case-studies--universities--ncku-140116247125-edge-kubesphere-2026-05-31/A single handed-over IP resolved into an NCKU lab's internet edge: a MikroTik RouterOS gateway DNAT-forwarding to an internal network, with eighteen services reachable through it. The headline exposure is not an AI service. It is a KubeSphere v3.1.0 Kubernetes management console, branded "ECPaaS," reachable on tcp/23180, leaking its version, its unchanged de…Sun, 31 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--ncku-140116247125-edge-kubesphere-2026-05-31.png" alt="NCKU Edge Host: a Kubernetes Control Plane Behind a MikroTik Gateway" /></p> <p><strong>Sector:</strong> Universities</p> <p>A single handed-over IP resolved into an NCKU lab&#39;s internet edge: a MikroTik RouterOS gateway DNAT-forwarding to an internal network, with eighteen services reachable through it. The headline exposure is not an AI service. It is a KubeSphere v3.1.0 Kubernetes management console, branded &quot;ECPaaS,&quot; reachable on tcp/23180, leaking its version, its unchanged de…</p> <p>A single handed-over IP resolved into an NCKU lab&#39;s internet edge: a MikroTik RouterOS gateway DNAT-forwarding to an internal network, with eighteen services reachable through it. The headline exposure is not an AI service. It is a KubeSphere v3.1.0 Kubernetes management console, branded &quot;ECPaaS,&quot; reachable on tcp/23180, leaking its version, its unchanged default JWT secret, and its preset usernames in the page source. Alongside it sits a Django app running with DEBUG=True in production. The assessment is a clean example of a curated AI-port scanner reporting &quot;no AI service&quot; on a host that is, in fact, badly exposed.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--ncku-140116247125-edge-kubesphere-2026-05-31/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--voice-audio-ai-rerun-2026-05-29/https://nuclide-research.com/cases/case-studies--commercial--voice-audio-ai-rerun-2026-05-29/Fifteen dorks. Twenty-eight candidates. Six confirmed unauthenticated voice services across five hosts. One four-service stacked host. Four false positives killed at the verification stage, including a would-be remote-code-execution finding that turned out to be an LLM relay server.Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--voice-audio-ai-rerun-2026-05-29.png" alt="Voice/Audio AI re-run: Category 17, 2026-05-29" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Fifteen dorks. Twenty-eight candidates. Six confirmed unauthenticated voice services across five hosts. One four-service stacked host. Four false positives killed at the verification stage, including a would-be remote-code-execution finding that turned out to be an LLM relay server.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--voice-audio-ai-rerun-2026-05-29/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--zep-ce-empty-apisecret-finding-2026-05-29/https://nuclide-research.com/cases/case-studies--commercial--zep-ce-empty-apisecret-finding-2026-05-29/Code-level finding from the agent-memory pre-assessment (data/platform-intel/agent-memory-osint-2026-05-29.md). Labeled per case-studies/FINDING-TEMPLATE.md. This is a platform finding, not a host case study: no live target has been touched.Fri, 29 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--zep-ce-empty-apisecret-finding-2026-05-29.png" alt="Zep CE: empty default api_secret accepts a zero-entropy credential" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Code-level finding from the agent-memory pre-assessment (data/platform-intel/agent-memory-osint-2026-05-29.md). Labeled per case-studies/FINDING-TEMPLATE.md. This is a platform finding, not a host case study: no live target has been touched.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--zep-ce-empty-apisecret-finding-2026-05-29/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--apptica-clickhouse-2026-05-28/https://nuclide-research.com/cases/case-studies--commercial--apptica-clickhouse-2026-05-28/Apptica is a commercial app store intelligence platform offering revenue estimates, download data, keyword rankings, and advertising intelligence for mobile apps across iOS and Android. Their product — described as "Ad Intelligence" and "Market Intelligence" — is built on the data stored in this database.Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--apptica-clickhouse-2026-05-28.png" alt="Apptica — Production Data Lake Exposed via Unauthenticated ClickHouse" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Apptica is a commercial app store intelligence platform offering revenue estimates, download data, keyword rankings, and advertising intelligence for mobile apps across iOS and Android. Their product — described as &quot;Ad Intelligence&quot; and &quot;Market Intelligence&quot; — is built on the data stored in this database.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--apptica-clickhouse-2026-05-28/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--datav-skillmine-clickhouse-2026-05-28/https://nuclide-research.com/cases/case-studies--commercial--datav-skillmine-clickhouse-2026-05-28/DataV is a no-code AI analytics and data visualization platform built and operated by Skillmine Technology Consulting Private Limited (Mumbai). The platform allows customers to upload CSV and Excel files, connect SQL databases, run ML predictions, and build dashboards. Per their website, DataV serves organizations across BFSI, healthcare, IT services, automo…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--datav-skillmine-clickhouse-2026-05-28.png" alt="DataV / Skillmine Technology — Multi-Party Data Breach via Unauthenticated ClickHouse" /></p> <p><strong>Sector:</strong> Commercial</p> <p>DataV is a no-code AI analytics and data visualization platform built and operated by Skillmine Technology Consulting Private Limited (Mumbai). The platform allows customers to upload CSV and Excel files, connect SQL databases, run ML predictions, and build dashboards. Per their website, DataV serves organizations across BFSI, healthcare, IT services, automo…</p> <p>DataV is a no-code AI analytics and data visualization platform built and operated by Skillmine Technology Consulting Private Limited (Mumbai). The platform allows customers to upload CSV and Excel files, connect SQL databases, run ML predictions, and build dashboards. Per their website, DataV serves organizations across BFSI, healthcare, IT services, automotive, and e-commerce.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--datav-skillmine-clickhouse-2026-05-28/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--sanio-ai-collision-agentos-2026-05-28/https://nuclide-research.com/cases/case-studies--commercial--sanio-ai-collision-agentos-2026-05-28/Surface identified in session 43 (cat-06 stragglers survey) via Shodan dork port:7777 http.html:"agno". Prior session confirmed the host as unauth Agno on port 7777 with road collision data in scope. This session ran five parallel agents for full stack enumeration.Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--sanio-ai-collision-agentos-2026-05-28.png" alt="Sanio AI — Collision AgentOS / Walmart Pipeline Exposure" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Surface identified in session 43 (cat-06 stragglers survey) via Shodan dork port:7777 http.html:&quot;agno&quot;. Prior session confirmed the host as unauth Agno on port 7777 with road collision data in scope. This session ran five parallel agents for full stack enumeration.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--sanio-ai-collision-agentos-2026-05-28/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--snapecabs-scylladb-341319052-2026-05-28/https://nuclide-research.com/cases/case-studies--commercial--snapecabs-scylladb-341319052-2026-05-28/Snap-E Cabs, a BSE-listed Indian EV ride-hailing operator (600+ vehicles, Kolkata), runs a ScyllaDB cluster on GCP with the CQL port accepting default cassandra/cassandra credentials and the admin REST API exposed with zero authentication — giving any actor full read/write access to 431,808 driver safety events, 245 live auth tokens, biometric face ROI data,…Thu, 28 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--snapecabs-scylladb-341319052-2026-05-28.png" alt="Snap-E Cabs — ScyllaDB Default Credentials + Unauthenticated REST API" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Snap-E Cabs, a BSE-listed Indian EV ride-hailing operator (600+ vehicles, Kolkata), runs a ScyllaDB cluster on GCP with the CQL port accepting default cassandra/cassandra credentials and the admin REST API exposed with zero authentication — giving any actor full read/write access to 431,808 driver safety events, 245 live auth tokens, biometric face ROI data,…</p> <p>Snap-E Cabs, a BSE-listed Indian EV ride-hailing operator (600+ vehicles, Kolkata), runs a ScyllaDB cluster on GCP with the CQL port accepting default cassandra/cassandra credentials and the admin REST API exposed with zero authentication — giving any actor full read/write access to 431,808 driver safety events, 245 live auth tokens, biometric face ROI data, real-time vehicle GPS, and live video stream session management.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--snapecabs-scylladb-341319052-2026-05-28/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--argo-workflows-osint-pre-assessment-2026-05-27/https://nuclide-research.com/cases/case-studies--commercial--argo-workflows-osint-pre-assessment-2026-05-27/Intelligence gathered before the population scan to fine-tune dork selection, fingerprint design, verification methodology, and scope. Not a survey — a survey prep document. The scan chain runs after this.Wed, 27 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--argo-workflows-osint-pre-assessment-2026-05-27.png" alt="Argo Workflows — Pre-Assessment OSINT Brief (2026-05-27)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Intelligence gathered before the population scan to fine-tune dork selection, fingerprint design, verification methodology, and scope. Not a survey — a survey prep document. The scan chain runs after this.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--argo-workflows-osint-pre-assessment-2026-05-27/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--agno-gptresearcher-agentgpt-cat06-stragglers-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--agno-gptresearcher-agentgpt-cat06-stragglers-2026-05-26/Agno ships with no authentication. The playground server (uvicorn, port 7777) returns full agent manifests and run histories to any caller. Three confirmed Agno deployments expose AI agents with live database, email, call-transcript, and document access.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--agno-gptresearcher-agentgpt-cat06-stragglers-2026-05-26.png" alt="Cat-06 Stragglers: Agno Auth-Off-Default, GPT Researcher 14 Unauth, Walmart Temporal Exposure" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Agno ships with no authentication. The playground server (uvicorn, port 7777) returns full agent manifests and run histories to any caller. Three confirmed Agno deployments expose AI agents with live database, email, call-transcript, and document access.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--agno-gptresearcher-agentgpt-cat06-stragglers-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--background-studio-crm-redisinsight-chain-b-65-21-151-67-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--background-studio-crm-redisinsight-chain-b-65-21-151-67-2026-05-26/The Redis password was in the GUI. It worked. One key. 99 users in a dating platform sorted set.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--background-studio-crm-redisinsight-chain-b-65-21-151-67-2026-05-26.png" alt="BackGround Studio CRM — Credential Leak, DatingUser Records in Redis" /></p> <p><strong>Sector:</strong> Commercial</p> <p>The Redis password was in the GUI. It worked. One key. 99 users in a dating platform sorted set.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--background-studio-crm-redisinsight-chain-b-65-21-151-67-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--campusiris-redisinsight-chain-b-150-230-235-79-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--campusiris-redisinsight-chain-b-150-230-235-79-2026-05-26/RedisInsight left the Redis password in plain sight. The password worked. Behind it: 115 keys of a multi-tenant school SaaS, student attendance records, 24k session IDs, and tenant database connection strings.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--campusiris-redisinsight-chain-b-150-230-235-79-2026-05-26.png" alt="CampusIRIS Dev Environment — Credential Leak via RedisInsight, Student Data Schema Exposed" /></p> <p><strong>Sector:</strong> Commercial</p> <p>RedisInsight left the Redis password in plain sight. The password worked. Behind it: 115 keys of a multi-tenant school SaaS, student attendance records, 24k session IDs, and tenant database connection strings.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--campusiris-redisinsight-chain-b-150-230-235-79-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--cms-prod-redis-redisinsight-chain-b-3521076182-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--cms-prod-redis-redisinsight-chain-b-3521076182-2026-05-26/RedisInsight 2.36.0 at port 8001 requires no authentication. GET /api/databases returns the Redis AUTH password in plaintext. AUTH confirms on port 6379. Keyspace: 154 keys. Apollo GraphQL dev-api: full introspection unauth, getCustomUsersCsv executed without credential and returned a live GCS signed URL, 8,650 artist records returned unauth, sendPushNotificationsToUsers schema maps platform-wide push. APAC node 34.87.179.212 firewalled on all ports.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--cms-prod-redis-redisinsight-chain-b-3521076182-2026-05-26.png" alt="CMS Production Redis — RedisInsight Credential Leak, Chain B" /></p> <p><strong>Sector:</strong> Commercial</p> <p>RedisInsight 2.36.0 at port 8001 requires no authentication. GET /api/databases returns the Redis AUTH password in plaintext. AUTH confirms on port 6379. Keyspace: 154 keys. Apollo GraphQL dev-api: full introspection unauth, getCustomUsersCsv executed without credential and returned a live GCS signed URL, 8,650 artist records returned unauth, sendPushNotificationsToUsers schema maps platform-wide push. APAC node 34.87.179.212 firewalled on all ports.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--cms-prod-redis-redisinsight-chain-b-3521076182-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--cpac-scg-strapi-api-cpac-co-th-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--cpac-scg-strapi-api-cpac-co-th-2026-05-26/Second node in the CPAC chain. The primary finding is in cpacredis-redisinsight-chain-b-178.128.84.65-2026-05-26.md. The Redis credential prefix cpacredis pivoted to cpac.co.th, which resolved to a Strapi CMS instance serving the CPAC website backend. This document covers the Strapi surface.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--cpac-scg-strapi-api-cpac-co-th-2026-05-26.png" alt="CPAC Strapi CMS — Production API Surface Enumeration" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Second node in the CPAC chain. The primary finding is in cpacredis-redisinsight-chain-b-178.128.84.65-2026-05-26.md. The Redis credential prefix cpacredis pivoted to cpac.co.th, which resolved to a Strapi CMS instance serving the CPAC website backend. This document covers the Strapi surface.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--cpac-scg-strapi-api-cpac-co-th-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--cpacredis-redisinsight-chain-b-1781288465-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--cpacredis-redisinsight-chain-b-1781288465-2026-05-26/RedisInsight at :8001 requires no authentication. The stored Redis password cpacredis0242 appears in plaintext in the /api/databases response. Behind that credential: a Thai Ready Mix concrete fleet telematics platform, with 5,348 vehicle records and 206 driver status records containing Thai national ID numbers (บัตรประชาชน).Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--cpacredis-redisinsight-chain-b-1781288465-2026-05-26.png" alt="cpacredis — RedisInsight Credential Leak on Fleet Telematics Platform" /></p> <p><strong>Sector:</strong> Commercial</p> <p>RedisInsight at :8001 requires no authentication. The stored Redis password cpacredis0242 appears in plaintext in the /api/databases response. Behind that credential: a Thai Ready Mix concrete fleet telematics platform, with 5,348 vehicle records and 206 driver status records containing Thai national ID numbers (บัตรประชาชน).</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--cpacredis-redisinsight-chain-b-1781288465-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--difinance-telegram-bot-redisinsight-3112997101-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--difinance-telegram-bot-redisinsight-3112997101-2026-05-26/RedisInsight on port 8001 required no authentication. GET /api/databases returned the full Redis connection object, including the password Sq3QmHxJCPn5Dt4LzAaNRg in plaintext. The credential gave direct AUTH access to Redis 7.2.4. The instance held aiogram FSM state for a Telegram bot and Celery queue bindings — infrastructure for a DeFi financial services b…Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--difinance-telegram-bot-redisinsight-3112997101-2026-05-26.png" alt="difinance.online — RedisInsight Credential Leak on Telegram DeFi Bot" /></p> <p><strong>Sector:</strong> Commercial</p> <p>RedisInsight on port 8001 required no authentication. GET /api/databases returned the full Redis connection object, including the password Sq3QmHxJCPn5Dt4LzAaNRg in plaintext. The credential gave direct AUTH access to Redis 7.2.4. The instance held aiogram FSM state for a Telegram bot and Celery queue bindings — infrastructure for a DeFi financial services b…</p> <p>RedisInsight on port 8001 required no authentication. GET /api/databases returned the full Redis connection object, including the password Sq3QmHxJCPn5Dt4LzAaNRg in plaintext. The credential gave direct AUTH access to Redis 7.2.4. The instance held aiogram FSM state for a Telegram bot and Celery queue bindings — infrastructure for a DeFi financial services bot operating under the domain difinance.online.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--difinance-telegram-bot-redisinsight-3112997101-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--epolca-redisinsight-chain-b-116203208124-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--epolca-redisinsight-chain-b-116203208124-2026-05-26/RedisInsight exposed the Redis password for an ePolca production planning demo server on Hetzner DE; AUTH succeeded and revealed six keys covering factory simulation results, KPI states, and production orders — all scoped to the EPOLCA_DEMOS namespace.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--epolca-redisinsight-chain-b-116203208124-2026-05-26.png" alt="EPOLCA — RedisInsight Credential Leak on Industrial Simulation Demo Server" /></p> <p><strong>Sector:</strong> Commercial</p> <p>RedisInsight exposed the Redis password for an ePolca production planning demo server on Hetzner DE; AUTH succeeded and revealed six keys covering factory simulation results, KPI states, and production orders — all scoped to the EPOLCA_DEMOS namespace.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--epolca-redisinsight-chain-b-116203208124-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--n8n-redis-redisinsight-192169812-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--n8n-redis-redisinsight-192169812-2026-05-26/Brazilian WhatsApp automation SaaS bmaconnect.com.br runs RedisInsight 2.42.0 with no authentication on port 8001, exposing full read/write access to Redis 7.4.7 (n8n-redis-1). 117 keys confirmed: 7 Evolution API WhatsApp session hashes (208KB to 1.16MB), 108 Brazilian phone number conversation queues across 5 named operator clients, and an n8n scheduling key with unresolved lead-number expression. Evolution API 2.3.7 on port 8080 enforces auth on instance management. n8n 1.122.5 (development mode) proxied via ia.bmaconnect.com.br. Second server at 179.190.63.39 for api./zion-teste. subdomains. 90 unique Brazilian phone numbers exposed in key names.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--n8n-redis-redisinsight-192169812-2026-05-26.png" alt="Evolution API WhatsApp Broker — RedisInsight Open, 117 Keys Including WhatsApp Session State and Lead Phone Numbers" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Brazilian WhatsApp automation SaaS bmaconnect.com.br runs RedisInsight 2.42.0 with no authentication on port 8001, exposing full read/write access to Redis 7.4.7 (n8n-redis-1). 117 keys confirmed: 7 Evolution API WhatsApp session hashes (208KB to 1.16MB), 108 Brazilian phone number conversation queues across 5 named operator clients, and an n8n scheduling key with unresolved lead-number expression. Evolution API 2.3.7 on port 8080 enforces auth on instance management. n8n 1.122.5 (development mode) proxied via ia.bmaconnect.com.br. Second server at 179.190.63.39 for api./zion-teste. subdomains. 90 unique Brazilian phone numbers exposed in key names.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--n8n-redis-redisinsight-192169812-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--prefect-dask-clearml-cat04-stragglers-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--prefect-dask-clearml-cat04-stragglers-2026-05-26/Prefect workflow orchestration is auth-off-default. /api/admin/settings is world-readable on all instances. /api/flows/filter and /api/deployments/filter return complete workflow inventories without credentials. Nine of fifteen sampled instances returned full unauth access; extrapolated across 66 confirmed live instances, 40 are likely unauth.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--prefect-dask-clearml-cat04-stragglers-2026-05-26.png" alt="Cat-04 Stragglers: Prefect Auth-Off-Default, Dask University Clusters, ClearML Ransomed ES" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Prefect workflow orchestration is auth-off-default. /api/admin/settings is world-readable on all instances. /api/flows/filter and /api/deployments/filter return complete workflow inventories without credentials. Nine of fifteen sampled instances returned full unauth access; extrapolated across 66 confirmed live instances, 40 are likely unauth.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--prefect-dask-clearml-cat04-stragglers-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vietnamese-chatbot-crm-redis-stack-12521222737-2026-05-26/https://nuclide-research.com/cases/case-studies--commercial--vietnamese-chatbot-crm-redis-stack-12521222737-2026-05-26/ORES, a Vietnamese AI-chatbot CRM SaaS built by CloudWorks (ows.vn), runs Redis Stack at 125.212.227.37 without authentication. Two RediSearch indexes expose 34 channel accounts and 17,337 conversation records. Key names confirm multi-channel routing across Zalo, Facebook Page, Zalo OA, and Pancake. The account:index schema stores a token field: OAuth credentials for each connected social channel. The host is the backend for my.ores.vn, proxied through ssl-proxy2.ows.vn at the adjacent IP 125.212.227.40. ASN: AS7552 Viettel Group, Vietnam.Tue, 26 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vietnamese-chatbot-crm-redis-stack-12521222737-2026-05-26.png" alt="ORES CRM (CloudWorks/ows.vn) — Redis Stack Open, 17,337 Chatbot Conversation Records, Multi-Channel Social PII" /></p> <p><strong>Sector:</strong> Commercial</p> <p>ORES, a Vietnamese AI-chatbot CRM SaaS built by CloudWorks (ows.vn), runs Redis Stack at 125.212.227.37 without authentication. Two RediSearch indexes expose 34 channel accounts and 17,337 conversation records. Key names confirm multi-channel routing across Zalo, Facebook Page, Zalo OA, and Pancake. The account:index schema stores a token field: OAuth credentials for each connected social channel. The host is the backend for my.ores.vn, proxied through ssl-proxy2.ows.vn at the adjacent IP 125.212.227.40. ASN: AS7552 Viettel Group, Vietnam.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vietnamese-chatbot-crm-redis-stack-12521222737-2026-05-26/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-cors-462248676-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-cors-462248676-2026-05-25/A LangGraph-backed Airbnb booking agent on Hetzner Nuremberg exposes thread creation, thread state reads, and agent execution with no authentication. CORS wildcard headers mean any browser origin can invoke the agent. WhatsApp guest communications are the data class at risk.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--airbnb-tenant-agent-cors-462248676-2026-05-25.png" alt="Airbnb Tenant Agent — CORS Wildcard and Open Booking Thread State" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A LangGraph-backed Airbnb booking agent on Hetzner Nuremberg exposes thread creation, thread state reads, and agent execution with no authentication. CORS wildcard headers mean any browser origin can invoke the agent. WhatsApp guest communications are the data class at risk.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-cors-462248676-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-cors-whatsapp-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-cors-whatsapp-2026-05-25/An Airbnb property manager's WhatsApp booking bot runs on LangGraph with no authentication and a wildcard CORS policy. Thread state from real guest conversations is readable without credentials. The agent is named 'Airbnb Tenant Agent' and is active.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--airbnb-tenant-agent-cors-whatsapp-2026-05-25.png" alt="Airbnb Tenant Agent — CORS Wildcard and No Auth on a Live WhatsApp Booking Bot" /></p> <p><strong>Sector:</strong> Commercial</p> <p>An Airbnb property manager&#39;s WhatsApp booking bot runs on LangGraph with no authentication and a wildcard CORS policy. Thread state from real guest conversations is readable without credentials. The agent is named &#39;Airbnb Tenant Agent&#39; and is active.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-cors-whatsapp-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-langgraph-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-langgraph-2026-05-25/An Airbnb property host's WhatsApp booking assistant runs LangGraph with CORS Access-Control-Allow-Origin: * and no authentication on any endpoint. Any webpage can create threads and read guest booking conversations. The WhatsApp webhook service runs on the same host.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--airbnb-tenant-agent-langgraph-2026-05-25.png" alt="Airbnb Tenant Agent — CORS Wildcard on a WhatsApp Booking Assistant" /></p> <p><strong>Sector:</strong> Commercial</p> <p>An Airbnb property host&#39;s WhatsApp booking assistant runs LangGraph with CORS Access-Control-Allow-Origin: * and no authentication on any endpoint. Any webpage can create threads and read guest booking conversations. The WhatsApp webhook service runs on the same host.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--airbnb-tenant-agent-langgraph-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--artsypetz-crewai-langfuse-unauth-147-182-219-125-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--artsypetz-crewai-langfuse-unauth-147-182-219-125-2026-05-25/A multi-service AI stack at 147.182.219.125 exposes Langfuse 3.88.1 LLM observability with open self-registration. ClickHouse 25.7.1.3997, GlitchTip, and MinIO run on the same host with auth enforced. A CrewAI social content generation service is present on ports 8001 and 9002. The operator is an indie developer running ArtsyPetz (pet portrait e-commerce) alongside a social media growth tool in development.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--artsypetz-crewai-langfuse-unauth-147-182-219-125-2026-05-25.png" alt="ArtsyPetz CrewAI Stack: Langfuse LLM Observability Open Registration, Multi-Service Stack Exposed" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A multi-service AI stack at 147.182.219.125 exposes Langfuse 3.88.1 LLM observability with open self-registration. ClickHouse 25.7.1.3997, GlitchTip, and MinIO run on the same host with auth enforced. A CrewAI social content generation service is present on ports 8001 and 9002. The operator is an indie developer running ArtsyPetz (pet portrait e-commerce) alongside a social media growth tool in development.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--artsypetz-crewai-langfuse-unauth-147-182-219-125-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--ati-docu-companion-langgraph-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--ati-docu-companion-langgraph-2026-05-25/A Catalan multi-tenant AI customer support platform runs a Vite development server in production on one of three Hetzner nodes, exposing full TypeScript source code. All three nodes share unauthenticated LangGraph agent endpoints and Qdrant databases holding 121 customer conversations and 377 tenant knowledge-base documents.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--ati-docu-companion-langgraph-2026-05-25.png" alt="Assistent Tècnic Intel·ligent (ATI) — Vite Dev Server in Production, 211-Tenant Platform" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Catalan multi-tenant AI customer support platform runs a Vite development server in production on one of three Hetzner nodes, exposing full TypeScript source code. All three nodes share unauthenticated LangGraph agent endpoints and Qdrant databases holding 121 customer conversations and 377 tenant knowledge-base documents.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--ati-docu-companion-langgraph-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--collector-scraper-api-langgraph-pii-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--collector-scraper-api-langgraph-pii-2026-05-25/Two Scaleway nodes in Paris run an unauthenticated API built to extract emails, phone numbers, and coordinates from business directory listings. No authentication on the extraction endpoint.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--collector-scraper-api-langgraph-pii-2026-05-25.png" alt="Collector Scraper API — AI-Powered PII Extraction Service, Unauthenticated" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Two Scaleway nodes in Paris run an unauthenticated API built to extract emails, phone numbers, and coordinates from business directory listings. No authentication on the extraction endpoint.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--collector-scraper-api-langgraph-pii-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--crewai-sop-rag-agent-unauth-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--crewai-sop-rag-agent-unauth-2026-05-25/A multi-agent CrewAI system on Azure exposes its full API without authentication. All nine endpoints are open. POST /upload allows unauthenticated file ingestion into the SOP database. POST /query runs the full agent pipeline against stored documents. The agent roster and workflow configuration are enumerable without credentials.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--crewai-sop-rag-agent-unauth-2026-05-25.png" alt="CrewAI SOP RAG Agent: Multi-Agent Standard Operating Procedure System Open Without Authentication" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A multi-agent CrewAI system on Azure exposes its full API without authentication. All nine endpoints are open. POST /upload allows unauthenticated file ingestion into the SOP database. POST /query runs the full agent pipeline against stored documents. The agent roster and workflow configuration are enumerable without credentials.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--crewai-sop-rag-agent-unauth-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--demant-semantic-kernel-agents-unauth-172-205-127-109-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--demant-semantic-kernel-agents-unauth-172-205-127-109-2026-05-25/A Microsoft Semantic Kernel agent hosting platform at 172.205.127.109 exposes five production agents without authentication. Agent names, system prompts, and plugin bindings name Demant, a Danish hearing technology company. POST /agents/execute runs any agent against the knowledge base without credentials. POST /agents/create and DELETE /agents/{id} are open.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--demant-semantic-kernel-agents-unauth-172-205-127-109-2026-05-25.png" alt="Demant Semantic Kernel Agent Platform: Five Production Agents Open Without Authentication" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Microsoft Semantic Kernel agent hosting platform at 172.205.127.109 exposes five production agents without authentication. Agent names, system prompts, and plugin bindings name Demant, a Danish hearing technology company. POST /agents/execute runs any agent against the knowledge base without credentials. POST /agents/create and DELETE /agents/{id} are open.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--demant-semantic-kernel-agents-unauth-172-205-127-109-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--docu-companion-ati-vite-dev-production-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--docu-companion-ati-vite-dev-production-2026-05-25/A Catalan-language multi-tenant AI customer support platform runs a Vite development server in production on one node, exposing full TypeScript source. All three Hetzner nodes share an unauthenticated Qdrant stack holding 211 tenant knowledge bases, 377 business documents, and 121 user conversations. Agent invocation endpoints are fully open.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--docu-companion-ati-vite-dev-production-2026-05-25.png" alt="Docu Companion / ATI — Vite Dev Server and 211 Tenant Knowledge Bases Open on a Three-Node Hetzner Cluster" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Catalan-language multi-tenant AI customer support platform runs a Vite development server in production on one node, exposing full TypeScript source. All three Hetzner nodes share an unauthenticated Qdrant stack holding 211 tenant knowledge bases, 377 business documents, and 121 user conversations. Agent invocation endpoints are fully open.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--docu-companion-ati-vite-dev-production-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--docu-companion-vite-dev-server-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--docu-companion-vite-dev-server-2026-05-25/A Catalan AI document platform running across three Hetzner nodes exposes its full TypeScript source code via a Vite development server left running in production. All agent endpoints, 121 user conversations, and 211 tenant knowledge bases are accessible without authentication.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--docu-companion-vite-dev-server-2026-05-25.png" alt="Assistent Tècnic Intel·ligent — Vite Dev Server in Production Exposes Source Code Across a 211-Tenant Platform" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Catalan AI document platform running across three Hetzner nodes exposes its full TypeScript source code via a Vite development server left running in production. All agent endpoints, 121 user conversations, and 211 tenant knowledge bases are accessible without authentication.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--docu-companion-vite-dev-server-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--erpnext-frappe-ldap-redis-cache-21247228104-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--erpnext-frappe-ldap-redis-cache-21247228104-2026-05-25/CloudCentric runs a shared Redis Stack instance at 212.47.228.104 (Scaleway, Paris) as the document cache for a multi-tenant ERPNext/Frappe deployment. No authentication. DBSIZE 2,716. Two LDAP Settings document cache keys are present with TTL -1 (persistent). The LDAP Settings doctype in Frappe stores the bind DN, bind password, and LDAP server URL. Key names are readable without auth. Values were not read per restraint ethic. 27 tenant subdomains identified from Redis job queue keys.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--erpnext-frappe-ldap-redis-cache-21247228104-2026-05-25.png" alt="CloudCentric / BizCentric — ERPNext/Frappe Multi-Tenant Redis Cache: LDAP Settings Keys Exposed, 27 Tenants" /></p> <p><strong>Sector:</strong> Commercial</p> <p>CloudCentric runs a shared Redis Stack instance at 212.47.228.104 (Scaleway, Paris) as the document cache for a multi-tenant ERPNext/Frappe deployment. No authentication. DBSIZE 2,716. Two LDAP Settings document cache keys are present with TTL -1 (persistent). The LDAP Settings doctype in Frappe stores the bind DN, bind password, and LDAP server URL. Key names are readable without auth. Values were not read per restraint ethic. 27 tenant subdomains identified from Redis job queue keys.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--erpnext-frappe-ldap-redis-cache-21247228104-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--fais-mcp-server-unauth-4-187-183-11-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--fais-mcp-server-unauth-4-187-183-11-2026-05-25/Two identical FAIS MCP Server instances on Azure Pune expose their full tool API without authentication. Three workflow tools are open on both nodes: GetAllWorkflows, GetWorkflowConfiguration, and GetWorkflowLogsByTransaction. Any caller can enumerate organizations, retrieve workflow configurations, and query execution logs by workflow and transaction ID.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--fais-mcp-server-unauth-4-187-183-11-2026-05-25.png" alt="FAIS MCP Server: Dual-Node Workflow Tool API Open Without Authentication" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Two identical FAIS MCP Server instances on Azure Pune expose their full tool API without authentication. Three workflow tools are open on both nodes: GetAllWorkflows, GetWorkflowConfiguration, and GetWorkflowLogsByTransaction. Any caller can enumerate organizations, retrieve workflow configurations, and query execution logs by workflow and transaction ID.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--fais-mcp-server-unauth-4-187-183-11-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--langgraph-financial-agent-1-15-66-80-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--langgraph-financial-agent-1-15-66-80-2026-05-25/A Chinese financial services multi-agent system on LangGraph runs credit report and loan extraction workflows in development mode with no authentication. The agent session store is accessible via Redis Commander on port 8081.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--langgraph-financial-agent-1-15-66-80-2026-05-25.png" alt="Chinese Financial LangGraph Agent — Credit Reports, Loans, and an Open Session Store" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Chinese financial services multi-agent system on LangGraph runs credit report and loan extraction workflows in development mode with no authentication. The agent session store is accessible via Redis Commander on port 8081.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--langgraph-financial-agent-1-15-66-80-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--mikrowizard-session-store-redis-889910230-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--mikrowizard-session-store-redis-889910230-2026-05-25/MikroWizard router management platform at 88.99.102.30 (Hetzner Frankfurt) runs Redis 7.4.7 on port 6379 with no authentication. DBSIZE: 2,940 keys, all named mikrowizard::UUID. Session TTL: 29 days. Any actor with network access can read all active session identifiers directly from the data layer. The application layer at port 80 serves the MikroWizard Angular UI.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--mikrowizard-session-store-redis-889910230-2026-05-25.png" alt="MikroWizard — Unauthenticated Redis Session Store, 2,940 Active MikroTik Router Management Sessions" /></p> <p><strong>Sector:</strong> Commercial</p> <p>MikroWizard router management platform at 88.99.102.30 (Hetzner Frankfurt) runs Redis 7.4.7 on port 6379 with no authentication. DBSIZE: 2,940 keys, all named mikrowizard::UUID. Session TTL: 29 days. Any actor with network access can read all active session identifiers directly from the data layer. The application layer at port 80 serves the MikroWizard Angular UI.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--mikrowizard-session-store-redis-889910230-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--n8n-legacy-rest-unauth-38-102-86-8-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--n8n-legacy-rest-unauth-38-102-86-8-2026-05-25/n8n 1.120.0 on port 5678 at 38.102.86.8 exposes its legacy /rest/ API without authentication. A single active production workflow — billing-backup-to-s3 — is enumerable, including node type and tags. The newer /api/v1/ path enforces auth; the /rest/ path does not.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--n8n-legacy-rest-unauth-38-102-86-8-2026-05-25.png" alt="n8n 1.120.0: Legacy REST API Open, Production Billing Backup Workflow Exposed" /></p> <p><strong>Sector:</strong> Commercial</p> <p>n8n 1.120.0 on port 5678 at 38.102.86.8 exposes its legacy /rest/ API without authentication. A single active production workflow — billing-backup-to-s3 — is enumerable, including node type and tags. The newer /api/v1/ path enforces auth; the /rest/ path does not.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--n8n-legacy-rest-unauth-38-102-86-8-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--nexthello-crewai-whatsapp-unauth-132-145-158-151-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--nexthello-crewai-whatsapp-unauth-132-145-158-151-2026-05-25/A CrewAI-based WhatsApp CRM platform at 132.145.158.151 exposes 59 endpoints without authentication. All operational POST endpoints accept requests without credentials. People Data Labs, HeyGen, and ElevenLabs API keys are live. A WhatsApp bridge with persisted session credentials is disconnected; reconnect enables message delivery to any phone number. The admin data layer is gated.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--nexthello-crewai-whatsapp-unauth-132-145-158-151-2026-05-25.png" alt="NextHello CrewAI CRM: 59-Endpoint Operational API Open Without Authentication, Live API Keys" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A CrewAI-based WhatsApp CRM platform at 132.145.158.151 exposes 59 endpoints without authentication. All operational POST endpoints accept requests without credentials. People Data Labs, HeyGen, and ElevenLabs API keys are live. A WhatsApp bridge with persisted session credentials is disconnected; reconnect enables message delivery to any phone number. The admin data layer is gated.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--nexthello-crewai-whatsapp-unauth-132-145-158-151-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--sergogram-flowise-weaviate-unauth-37-60-255-27-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--sergogram-flowise-weaviate-unauth-37-60-255-27-2026-05-25/A Flowise instance at 37.60.255.27 exposes an unauthenticated Weaviate vector store containing internal IT documentation from a German blood donation organization. The corpus includes plaintext server credentials, internal IP addresses, server names, BitLocker PINs, and blood donation operational data. A second tenant's customer support documents occupy the same instance.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--sergogram-flowise-weaviate-unauth-37-60-255-27-2026-05-25.png" alt="SerGoGram Flowise + Weaviate: IT Credentials from German Blood Donation Organization in Open Vector Store" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Flowise instance at 37.60.255.27 exposes an unauthenticated Weaviate vector store containing internal IT documentation from a German blood donation organization. The corpus includes plaintext server credentials, internal IP addresses, server names, BitLocker PINs, and blood donation operational data. A second tenant&#39;s customer support documents occupy the same instance.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--sergogram-flowise-weaviate-unauth-37-60-255-27-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--simon-movilidad-redis-stack-fleet-pii-19021728217-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--simon-movilidad-redis-stack-fleet-pii-19021728217-2026-05-25/Simón Movilidad runs Traccar 6.12.2 (GPS fleet tracking) with Redis Stack as the live device state store. The Redis instance at qa.simonmovilidad.com is open without auth: 28,323 GPS device records, keyed by IMEI, each containing plate, name, phone, email. Tenant: Finanzauto S.A. BIC (Colombian vehicle financing). Finanzauto's admision subdomain runs Apereo CAS SSO with the default-config HTML comment in production.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--simon-movilidad-redis-stack-fleet-pii-19021728217-2026-05-25.png" alt="Simón Movilidad / Finanzauto — Full Picture: Traccar 6.12.2, 28,323 Open GPS Records, CAS Default Config" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Simón Movilidad runs Traccar 6.12.2 (GPS fleet tracking) with Redis Stack as the live device state store. The Redis instance at qa.simonmovilidad.com is open without auth: 28,323 GPS device records, keyed by IMEI, each containing plate, name, phone, email. Tenant: Finanzauto S.A. BIC (Colombian vehicle financing). Finanzauto&#39;s admision subdomain runs Apereo CAS SSO with the default-config HTML comment in production.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--simon-movilidad-redis-stack-fleet-pii-19021728217-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-ai-langgraph-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-ai-langgraph-2026-05-25/An Indian fintech startup's LangGraph stock analysis app authenticates the list layer but leaves individual resource endpoints wide open. 62 proprietary Arihant Capital analyst reports are accessible without auth through a co-deployed Weaviate instance.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--stock-ai-emor-ai-langgraph-2026-05-25.png" alt="Stock.ai (EMOR AI) — Partial-Auth Failure, Open Vector Store, and Third-Party Research Leak" /></p> <p><strong>Sector:</strong> Commercial</p> <p>An Indian fintech startup&#39;s LangGraph stock analysis app authenticates the list layer but leaves individual resource endpoints wide open. 62 proprietary Arihant Capital analyst reports are accessible without auth through a co-deployed Weaviate instance.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-ai-langgraph-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-partial-auth-20193252230-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-partial-auth-20193252230-2026-05-25/EMOR AI's unreleased Stock.ai product exposes a Weaviate vector database, individual API resource endpoints, and 62+ proprietary Arihant Capital equity analyst reports. The developer implemented JWT and Google OAuth but left individual resource endpoints unprotected. A reused HR/resume Azure OpenAI subscription confirms operator identity.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--stock-ai-emor-partial-auth-20193252230-2026-05-25.png" alt="Stock.ai (EMOR AI) — Partial-Auth Failure, Open Weaviate, and 62 Proprietary Analyst Reports" /></p> <p><strong>Sector:</strong> Commercial</p> <p>EMOR AI&#39;s unreleased Stock.ai product exposes a Weaviate vector database, individual API resource endpoints, and 62+ proprietary Arihant Capital equity analyst reports. The developer implemented JWT and Google OAuth but left individual resource endpoints unprotected. A reused HR/resume Azure OpenAI subscription confirms operator identity.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-partial-auth-20193252230-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-partial-auth-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-partial-auth-2026-05-25/An Indian fintech startup's stock research assistant exposes 62 proprietary Arihant Capital analyst reports and user conversation history. The developer built JWT authentication and left the individual resource endpoints unprotected.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--stock-ai-emor-partial-auth-2026-05-25.png" alt="Stock.ai — Partial-Auth Failure Exposes 62 Arihant Capital Reports and User Data" /></p> <p><strong>Sector:</strong> Commercial</p> <p>An Indian fintech startup&#39;s stock research assistant exposes 62 proprietary Arihant Capital analyst reports and user conversation history. The developer built JWT authentication and left the individual resource endpoints unprotected.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--stock-ai-emor-partial-auth-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-healthcare-langgraph-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-healthcare-langgraph-2026-05-25/A pharmaceutical sales rep AI assistant runs LangGraph on two DigitalOcean nodes with no authentication. The agent has declared access to a healthcare client database. Voice endpoints accept unauthenticated audio and return agent-processed responses. Client records including doctor names, specializations, visit history, and treatment discussion notes are accessible to any caller with a valid organization ID.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vantage-coach-healthcare-langgraph-2026-05-25.png" alt="Vantage Coach — Healthcare CRM Agent With Voice Endpoints, No Auth" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A pharmaceutical sales rep AI assistant runs LangGraph on two DigitalOcean nodes with no authentication. The agent has declared access to a healthcare client database. Voice endpoints accept unauthenticated audio and return agent-processed responses. Client records including doctor names, specializations, visit history, and treatment discussion notes are accessible to any caller with a valid organization ID.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-healthcare-langgraph-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-pharma-crm-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-pharma-crm-2026-05-25/A pharmaceutical sales representative AI tool on two DigitalOcean nodes exposes a healthcare client database, conversation history, and voice endpoints without authentication. The OpenAPI spec explicitly describes access to doctor names, hospitals, visit dates, and medication discussion records.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vantage-coach-pharma-crm-2026-05-25.png" alt="Vantage Coach — Pharmaceutical CRM with Healthcare Client Records and Voice Endpoints Open" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A pharmaceutical sales representative AI tool on two DigitalOcean nodes exposes a healthcare client database, conversation history, and voice endpoints without authentication. The OpenAPI spec explicitly describes access to doctor names, hospitals, visit dates, and medication discussion records.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-pharma-crm-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-pharma-crm-voice-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-pharma-crm-voice-2026-05-25/A Spanish-language pharmaceutical CRM AI agent runs on two DigitalOcean nodes with no authentication. The agent has tool access to a healthcare client database. Voice endpoints accept audio queries against that database without credentials.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vantage-coach-pharma-crm-voice-2026-05-25.png" alt="Vantage Coach — Pharma CRM Agent, Open Voice Endpoints, Healthcare Client Records" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Spanish-language pharmaceutical CRM AI agent runs on two DigitalOcean nodes with no authentication. The agent has tool access to a healthcare client database. Voice endpoints accept audio queries against that database without credentials.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vantage-coach-pharma-crm-voice-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-health-data-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-health-data-2026-05-25/A Chinese sleep health application on Tencent Cloud exposes per-user sleep sensor data by WeChat openid and serves 9,244 logged API requests without authentication. The service runs as root with log file paths disclosed.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--wuji-sleep-doctor-health-data-2026-05-25.png" alt="wuji Sleep Doctor — WeChat Health Data and 9,244 Request Logs Exposed on Tencent Cloud" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Chinese sleep health application on Tencent Cloud exposes per-user sleep sensor data by WeChat openid and serves 9,244 logged API requests without authentication. The service runs as root with log file paths disclosed.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-health-data-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-health-data-82156182216-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-health-data-82156182216-2026-05-25/A Chinese WeChat Mini Program backend for sleep health diagnostics runs on TencentCloud Beijing with no authentication. Sleep sensor data is accessible by WeChat openid. 9,244 request logs containing user identifiers, health responses, and client IPs are readable without credentials.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--wuji-sleep-doctor-health-data-82156182216-2026-05-25.png" alt="Chinese Sleep Doctor App — WeChat Health Data Open by Design, 9,244 Request Logs Exposed" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Chinese WeChat Mini Program backend for sleep health diagnostics runs on TencentCloud Beijing with no authentication. Sleep sensor data is accessible by WeChat openid. 9,244 request logs containing user identifiers, health responses, and client IPs are readable without credentials.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-health-data-82156182216-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-langgraph-2026-05-25/https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-langgraph-2026-05-25/A Chinese sleep health WeChat Mini Program backend runs a LangGraph Sleep Doctor service with no authentication on any endpoint. Sleep sensor data (AHI, heart rate, HRV, sleep stages) is accessible by WeChat openid alone. A 36.9MB request log containing 9,244 entries — including user identifiers, request bodies, response bodies, and client IPs — is served at /api/monitor/logs without auth. The service runs as root.Mon, 25 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--wuji-sleep-doctor-langgraph-2026-05-25.png" alt="wuji Sleep Doctor — Chinese Health Data by WeChat OpenID, 9,244 Request Logs Open" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A Chinese sleep health WeChat Mini Program backend runs a LangGraph Sleep Doctor service with no authentication on any endpoint. Sleep sensor data (AHI, heart rate, HRV, sleep stages) is accessible by WeChat openid alone. A 36.9MB request log containing 9,244 entries — including user identifiers, request bodies, response bodies, and client IPs — is served at /api/monitor/logs without auth. The service runs as root.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--wuji-sleep-doctor-langgraph-2026-05-25/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--climategpt-opik-vllm-2026-05-22/https://nuclide-research.com/cases/case-studies--commercial--climategpt-opik-vllm-2026-05-22/Surfaced during Session 30 Agenta survey (S30). The /opik/api/v1/projects endpoint returned HTTP 200 unauthenticated — a candidate, per Insight #16. The candidate was passed to this assessment for data-layer verification.Fri, 22 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--climategpt-opik-vllm-2026-05-22.png" alt="ClimateGPT Stack — Unauth vLLM + Opik + Streamlit" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Surfaced during Session 30 Agenta survey (S30). The /opik/api/v1/projects endpoint returned HTTP 200 unauthenticated — a candidate, per Insight #16. The candidate was passed to this assessment for data-layer verification.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--climategpt-opik-vllm-2026-05-22/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--langfuse-postgres-cert-pivot-2026-05-22/https://nuclide-research.com/cases/case-studies--commercial--langfuse-postgres-cert-pivot-2026-05-22/The survey started as an Insight #20 exercise: data-tier ports adjacent to confirmed AI services are an independent exposure class. The dork ssl.cert.subject.cn:langfuse port:5432 was surfaced during the Agenta survey (Session 30) via the TLS-CN attack class (Insight #46). Eleven hits.Fri, 22 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--langfuse-postgres-cert-pivot-2026-05-22.png" alt="Langfuse Postgres Cert Pivot — Data Tier Survey + CygnusAlpha Production Finding" /></p> <p><strong>Sector:</strong> Commercial</p> <p>The survey started as an Insight #20 exercise: data-tier ports adjacent to confirmed AI services are an independent exposure class. The dork ssl.cert.subject.cn:langfuse port:5432 was surfaced during the Agenta survey (Session 30) via the TLS-CN attack class (Insight #46). Eleven hits.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--langfuse-postgres-cert-pivot-2026-05-22/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--pantaflow-live-transcription-2026-05-22/https://nuclide-research.com/cases/case-studies--commercial--pantaflow-live-transcription-2026-05-22/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageFri, 22 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--pantaflow-live-transcription-2026-05-22.png" alt="116.202.28.181 — Pantaflow Live Transcription Server" /></p> <p><strong>Sector:</strong> Commercial</p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--pantaflow-live-transcription-2026-05-22/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--promptlayer-marker-build-2026-05-22/https://nuclide-research.com/cases/case-studies--commercial--promptlayer-marker-build-2026-05-22/PromptLayer was queued for its first population survey: http.title:"PromptLayer" (6 hits) and ssl.cert.subject.cn:promptlayer (10 hits). The discovery stage could not run — both Shodan API keys on rooster return 401 Unauthorized, and the ledger holds zero pre-harvested PromptLayer hosts, so there was no fallback corpus. JAXEN, VisorSD, VisorGoose and VisorPl…Fri, 22 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--promptlayer-marker-build-2026-05-22.png" alt="PromptLayer — Marker-Build Assessment" /></p> <p><strong>Sector:</strong> Commercial</p> <p>PromptLayer was queued for its first population survey: http.title:&quot;PromptLayer&quot; (6 hits) and ssl.cert.subject.cn:promptlayer (10 hits). The discovery stage could not run — both Shodan API keys on rooster return 401 Unauthorized, and the ledger holds zero pre-harvested PromptLayer hosts, so there was no fallback corpus. JAXEN, VisorSD, VisorGoose and VisorPl…</p> <p>PromptLayer was queued for its first population survey: http.title:&quot;PromptLayer&quot; (6 hits) and ssl.cert.subject.cn:promptlayer (10 hits). The discovery stage could not run — both Shodan API keys on rooster return 401 Unauthorized, and the ledger holds zero pre-harvested PromptLayer hosts, so there was no fallback corpus. JAXEN, VisorSD, VisorGoose and VisorPlus&#39;s hunt path are all Shodan-gated and were blocked at the same point.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--promptlayer-marker-build-2026-05-22/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--k12--cn-tci-kindergarten-asr/https://nuclide-research.com/cases/case-studies--k12--cn-tci-kindergarten-asr/117.50.80.181:8001 runs the "TCI ASR Service" v3.0.0, a Chinese kindergarten classroom speech-assessment platform. The processing tier has no authentication. An unauthenticated internet caller can submit audio to the platform's automatic-speech-recognition, speaker-diarization, and voiceprint-registration pipeline. The same endpoints carry an arbitrary-path…Fri, 22 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--k12--cn-tci-kindergarten-asr.png" alt="117.50.80.181 — TCI Kindergarten ASR / Speech-Assessment Platform" /></p> <p><strong>Sector:</strong> K-12</p> <p>117.50.80.181:8001 runs the &quot;TCI ASR Service&quot; v3.0.0, a Chinese kindergarten classroom speech-assessment platform. The processing tier has no authentication. An unauthenticated internet caller can submit audio to the platform&#39;s automatic-speech-recognition, speaker-diarization, and voiceprint-registration pipeline. The same endpoints carry an arbitrary-path…</p> <p>117.50.80.181:8001 runs the &quot;TCI ASR Service&quot; v3.0.0, a Chinese kindergarten classroom speech-assessment platform. The processing tier has no authentication. An unauthenticated internet caller can submit audio to the platform&#39;s automatic-speech-recognition, speaker-diarization, and voiceprint-registration pipeline. The same endpoints carry an arbitrary-path file-existence oracle through an unsanitised ffmpeg -i call. The platform&#39;s data class is kindergarten-age children&#39;s classroom audio and the voiceprint biometrics of children and teachers.</p> <p><a href="https://nuclide-research.com/cases/case-studies--k12--cn-tci-kindergarten-asr/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--embedding-tier2-2026-05-21/https://nuclide-research.com/cases/case-studies--commercial--embedding-tier2-2026-05-21/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageThu, 21 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--embedding-tier2-2026-05-21.png" alt="Embedding Services Survey — Tier-2 Cloud (2026-05-21)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--embedding-tier2-2026-05-21/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--hpc-psy-ntu-edu-tw/https://nuclide-research.com/cases/case-studies--universities--hpc-psy-ntu-edu-tw/NTU's Psychology HPC node ran NIS (YP) — a 1980s LAN credential distribution protocol — fully exposed to the internet at time of observation. yppasswdd, ypserv, and fypxfrd were all registered in the portmapper table and reachable from external IP space. NIS has no transport authentication. An attacker who knows the NIS domain name can:Thu, 21 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--hpc-psy-ntu-edu-tw.png" alt="NIS/YP Internet Exposure — hpc.psy.ntu.edu.tw" /></p> <p><strong>Sector:</strong> Universities</p> <p>NTU&#39;s Psychology HPC node ran NIS (YP) — a 1980s LAN credential distribution protocol — fully exposed to the internet at time of observation. yppasswdd, ypserv, and fypxfrd were all registered in the portmapper table and reachable from external IP space. NIS has no transport authentication. An attacker who knows the NIS domain name can:</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--hpc-psy-ntu-edu-tw/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--sakura-mit-edu/https://nuclide-research.com/cases/case-studies--universities--sakura-mit-edu/34 exposed ports. Services running concurrently on this single host:Thu, 21 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--sakura-mit-edu.png" alt="sakura.mit.edu — MIT Research Compute Node" /></p> <p><strong>Sector:</strong> Universities</p> <p>34 exposed ports. Services running concurrently on this single host:</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--sakura-mit-edu/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities/https://nuclide-research.com/cases/case-studies--universities/Unauthenticated Ollama, Open WebUI, JupyterHub, and LiteLLM instances discovered on university networks worldwide. Organized by country / state.Wed, 20 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities.png" alt="University AI Infrastructure Exposures" /></p> <p><strong>Sector:</strong> Other</p> <p>Unauthenticated Ollama, Open WebUI, JupyterHub, and LiteLLM instances discovered on university networks worldwide. Organized by country / state.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--overview/https://nuclide-research.com/cases/case-studies--universities--overview/Full sweep of all 10,224 recognized universities worldwide (Hipo dataset, 202 countries). Two lanes ran:Wed, 20 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--overview.png" alt="University AI Infrastructure Exposure: Global Overview" /></p> <p><strong>Sector:</strong> Universities</p> <p>Full sweep of all 10,224 recognized universities worldwide (Hipo dataset, 202 countries). Two lanes ran:</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--overview/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--claude-relay-chinese-reseller-2026-05-19/https://nuclide-research.com/cases/case-studies--commercial--claude-relay-chinese-reseller-2026-05-19/A pivot off the LiteLLM UNAUTHFUNCTIONAL cohort from the same-day safety/guardrail survey surfaced an upstream apibase at 43.167.216.195:38762 (Tencent Cloud Singapore / Aceville Pte Ltd). That upstream returned a JSON stats schema unique to the claude-relay-service OSS project. A targeted Shodan dork on the schema's load-bearing tokens (availableAccounts +…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--claude-relay-chinese-reseller-2026-05-19.png" alt="Chinese commercial Claude-reseller ecosystem: 32 pooled Anthropic accounts across six relays, ~13.92B tokens served via claude-relay-service OSS" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A pivot off the LiteLLM UNAUTHFUNCTIONAL cohort from the same-day safety/guardrail survey surfaced an upstream apibase at 43.167.216.195:38762 (Tencent Cloud Singapore / Aceville Pte Ltd). That upstream returned a JSON stats schema unique to the claude-relay-service OSS project. A targeted Shodan dork on the schema&#39;s load-bearing tokens (availableAccounts +…</p> <p>A pivot off the LiteLLM UNAUTHFUNCTIONAL cohort from the same-day safety/guardrail survey surfaced an upstream apibase at 43.167.216.195:38762 (Tencent Cloud Singapore / Aceville Pte Ltd). That upstream returned a JSON stats schema unique to the claude-relay-service OSS project. A targeted Shodan dork on the schema&#39;s load-bearing tokens (availableAccounts + thirdPartyMaxConcurrent) surfaced five additional hosts running the same OSS. The six visible relays collectively pool 32 paid Anthropic accounts and have served approximately 13.92 billion tokens of Claude inference across 430,000 successful API requests. The OSS substrate (github.com/Wei-Shaw/claude-relay-service, 11.8K stars, MIT) is documented in Chinese only and explicitly marketed for 拼车 (carpool) account-sharing. The maintainer operates a commercial brand at pincc.ai with the slogan &quot;Claude Code Max 20X, saves 60%+.&quot; The Go-rewrite successor sub2api has 21,800 stars and 8,105 Shodan-indexed deployments, suggesting the visible Claude Relay v1 population is the long tail of operators who left /health open, not the deployed base.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--claude-relay-chinese-reseller-2026-05-19/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--llm-orchestration-rerun-2026-05-19/https://nuclide-research.com/cases/case-studies--commercial--llm-orchestration-rerun-2026-05-19/Per the standing methodology — the manual → productize → re-run loop. The first run was 2026-05-15. Since then:Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--llm-orchestration-rerun-2026-05-19.png" alt="LLM Orchestration Re-Run — 2026-05-19" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Per the standing methodology — the manual → productize → re-run loop. The first run was 2026-05-15. Since then:</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--llm-orchestration-rerun-2026-05-19/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--sub2api-population-2026-05-19/https://nuclide-research.com/cases/case-studies--commercial--sub2api-population-2026-05-19/<!-- ksat-tag:auto-generated:start --> ## DCWF KSAT coverageTue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--sub2api-population-2026-05-19.png" alt="sub2api — Population survey: 7,720 indexed hosts, auth-on-default at scale, zero pool-leak" /></p> <p><strong>Sector:</strong> Commercial</p> <p>&lt;!-- ksat-tag:auto-generated:start --&gt; ## DCWF KSAT coverage</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--sub2api-population-2026-05-19/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--edu-llm-infra-sweep-2026-05-19/https://nuclide-research.com/cases/case-studies--universities--edu-llm-infra-sweep-2026-05-19/The repo's 1,629-dork verified Shodan catalog (29 categories, hand-curated and FP-tested across 50+ prior commercial surveys) was scoped to hostname:.edu and run through shodan count (free per query, no scan credit). After dropping 45 dorks that already had a hostname: filter, 1,584 scoped queries ran in 48 minutes with a 1.2s rate-limit. 382 dorks (24%) ret…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--edu-llm-infra-sweep-2026-05-19.png" alt=".edu LLM infrastructure dork-map — 1,584 verified-dork × hostname:.edu sweep (2026-05-19)" /></p> <p><strong>Sector:</strong> Universities</p> <p>The repo&#39;s 1,629-dork verified Shodan catalog (29 categories, hand-curated and FP-tested across 50+ prior commercial surveys) was scoped to hostname:.edu and run through shodan count (free per query, no scan credit). After dropping 45 dorks that already had a hostname: filter, 1,584 scoped queries ran in 48 minutes with a 1.2s rate-limit. 382 dorks (24%) ret…</p> <p>The repo&#39;s 1,629-dork verified Shodan catalog (29 categories, hand-curated and FP-tested across 50+ prior commercial surveys) was scoped to hostname:.edu and run through shodan count (free per query, no scan credit). After dropping 45 dorks that already had a hostname: filter, 1,584 scoped queries ran in 48 minutes with a 1.2s rate-limit. 382 dorks (24%) returned ≥1 hit, 1,143 returned 0, 59 errored (3.7% rate-limit blip). The data-mapping output establishes which platform classes have material .edu exposure surface, what populations to expect at Stage 1 verify, and which dork classes are productive vs noise on the academic surface.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--edu-llm-infra-sweep-2026-05-19/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--az-arizona/https://nuclide-research.com/cases/case-studies--universities--us--az-arizona/The University of Arizona operates a branded institutional Open WebUI service at genai.arizona.edu (128.196.254.101). The deployment is reachable on port 80 (reverse-proxied; Open WebUI's typical :3000 not directly exposed). /api/config returned Open WebUI v0.7.2 with name: "U of A GenAI (Open WebUI)" — customized service title — and an OIDC backend identifi…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--az-arizona.png" alt="University of Arizona: Branded &quot;U of A GenAI&quot; — Open WebUI v0.7.2 with University-OIDC + Auth-On" /></p> <p><strong>Sector:</strong> Universities</p> <p>The University of Arizona operates a branded institutional Open WebUI service at genai.arizona.edu (128.196.254.101). The deployment is reachable on port 80 (reverse-proxied; Open WebUI&#39;s typical :3000 not directly exposed). /api/config returned Open WebUI v0.7.2 with name: &quot;U of A GenAI (Open WebUI)&quot; — customized service title — and an OIDC backend identifi…</p> <p>The University of Arizona operates a branded institutional Open WebUI service at genai.arizona.edu (128.196.254.101). The deployment is reachable on port 80 (reverse-proxied; Open WebUI&#39;s typical :3000 not directly exposed). /api/config returned Open WebUI v0.7.2 with name: &quot;U of A GenAI (Open WebUI)&quot; — customized service title — and an OIDC backend identified as &quot;University of Arizona&quot;. Signup is closed (enablesignup: false). Properly configured institutional LLM service with institutional OIDC integration; documented here as a wave-2 cohort exemplar of correct deployment posture.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--az-arizona/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--ca-sdsc/https://nuclide-research.com/cases/case-studies--universities--us--ca-sdsc/The San Diego Supercomputer Center (SDSC) operates a publicly-reachable Ollama 0.20.4 instance at 132-249-238-182.compute.cloud.sdsc.edu (132.249.238.182). /api/tags returns 53 models. The first entry in the model list is gemini-3-flash-preview:cloud with remotemodel:"gemini-3-flash-preview" and remotehost pointing to a Google API endpoint — Ollama's cloud-p…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--ca-sdsc.png" alt="San Diego Supercomputer Center: Public Ollama on `compute.cloud.sdsc.edu` — 53-Model Inventory + `:cloud`-suffix Cloud-Proxy Class" /></p> <p><strong>Sector:</strong> Universities</p> <p>The San Diego Supercomputer Center (SDSC) operates a publicly-reachable Ollama 0.20.4 instance at 132-249-238-182.compute.cloud.sdsc.edu (132.249.238.182). /api/tags returns 53 models. The first entry in the model list is gemini-3-flash-preview:cloud with remotemodel:&quot;gemini-3-flash-preview&quot; and remotehost pointing to a Google API endpoint — Ollama&#39;s cloud-p…</p> <p>The San Diego Supercomputer Center (SDSC) operates a publicly-reachable Ollama 0.20.4 instance at 132-249-238-182.compute.cloud.sdsc.edu (132.249.238.182). /api/tags returns 53 models. The first entry in the model list is gemini-3-flash-preview:cloud with remotemodel:&quot;gemini-3-flash-preview&quot; and remotehost pointing to a Google API endpoint — Ollama&#39;s cloud-proxy configuration class is OBSERVED on this host. SSH (OpenSSH 8.9p1 Ubuntu) is the only other open port.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--ca-sdsc/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--ca-stanford/https://nuclide-research.com/cases/case-studies--universities--us--ca-stanford/Stanford University surfaces a Streamlit application at sr24-0915fd81a9.stanford.edu (128.12.168.8:8501). Hostname pattern (sr24-{hex-id}.stanford.edu) suggests a dynamically-assigned campus subnet host — likely a personal device on Stanford's wireless or residential network. Streamlit framework confirmed via /stcore/health returning ok; <title>Streamlit</ti…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--ca-stanford.png" alt="Stanford University: Streamlit app on `sr24-0915fd81a9.stanford.edu:8501` (DHCP / dynamic host; framework confirmed)" /></p> <p><strong>Sector:</strong> Universities</p> <p>Stanford University surfaces a Streamlit application at sr24-0915fd81a9.stanford.edu (128.12.168.8:8501). Hostname pattern (sr24-{hex-id}.stanford.edu) suggests a dynamically-assigned campus subnet host — likely a personal device on Stanford&#39;s wireless or residential network. Streamlit framework confirmed via /stcore/health returning ok; &lt;title&gt;Streamlit&lt;/ti…</p> <p>Stanford University surfaces a Streamlit application at sr24-0915fd81a9.stanford.edu (128.12.168.8:8501). Hostname pattern (sr24-{hex-id}.stanford.edu) suggests a dynamically-assigned campus subnet host — likely a personal device on Stanford&#39;s wireless or residential network. Streamlit framework confirmed via /stcore/health returning ok; &lt;title&gt;Streamlit&lt;/title&gt; default (no app-level customization). Per restraint ethic, the WebSocket session that would reveal app content was not established.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--ca-stanford/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--ca-ucla/https://nuclide-research.com/cases/case-studies--universities--us--ca-ucla/UCLA's Institute for Digital Research and Education (IDRE) runs a multi-service LLM stack at ai.idre.ucla.edu (128.97.60.220, Los Angeles). Three distinct services on three ports: Open WebUI v0.9.1 on :3000 with enablesignup: true and enableldap: true (signup-open class observed; LDAP federation observed), and LiteLLM Proxy v1.83.4 served twice — once direct…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--ca-ucla.png" alt="UCLA: Multi-Service AI Stack on `ai.idre.ucla.edu` — Open WebUI Signup-Open + LDAP + LiteLLM Dual-Exposed" /></p> <p><strong>Sector:</strong> Universities</p> <p>UCLA&#39;s Institute for Digital Research and Education (IDRE) runs a multi-service LLM stack at ai.idre.ucla.edu (128.97.60.220, Los Angeles). Three distinct services on three ports: Open WebUI v0.9.1 on :3000 with enablesignup: true and enableldap: true (signup-open class observed; LDAP federation observed), and LiteLLM Proxy v1.83.4 served twice — once direct…</p> <p>UCLA&#39;s Institute for Digital Research and Education (IDRE) runs a multi-service LLM stack at ai.idre.ucla.edu (128.97.60.220, Los Angeles). Three distinct services on three ports: Open WebUI v0.9.1 on :3000 with enablesignup: true and enableldap: true (signup-open class observed; LDAP federation observed), and LiteLLM Proxy v1.83.4 served twice — once directly via uvicorn on :8000 and once nginx-fronted on :80 — with /openapi.json, /public/providers, and /public/litellmmodelcostmap returning 200 unauth (info-disclosure class observed; content endpoints /v1/ correctly enforce authentication).</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--ca-ucla/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--co-red-rocks/https://nuclide-research.com/cases/case-studies--universities--us--co-red-rocks/Red Rocks Community College runs an Open WebUI instance at datalab02.rrcc.edu (164.47.99.16:8080). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backend enabled). Properly configured closed-enrollment deployment. First community college observed in the NuClide .edu LLM-in…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--co-red-rocks.png" alt="Red Rocks Community College: Open WebUI v0.9.2 on `datalab02.rrcc.edu` — Auth-On + LDAP (First Community College in Survey)" /></p> <p><strong>Sector:</strong> Universities</p> <p>Red Rocks Community College runs an Open WebUI instance at datalab02.rrcc.edu (164.47.99.16:8080). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backend enabled). Properly configured closed-enrollment deployment. First community college observed in the NuClide .edu LLM-in…</p> <p>Red Rocks Community College runs an Open WebUI instance at datalab02.rrcc.edu (164.47.99.16:8080). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backend enabled). Properly configured closed-enrollment deployment. First community college observed in the NuClide .edu LLM-infra ledger.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--co-red-rocks/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--fl-usf/https://nuclide-research.com/cases/case-studies--universities--us--fl-usf/USF College of Marine Science operates two JupyterHub instances on the marine.usf.edu subdomain: ocgmod1.marine.usf.edu (131.247.139.171:8000) and manglillo.marine.usf.edu (131.247.136.183:8000). Both correctly enforce authentication (/hub/api/info returns 403 "Missing or invalid credentials"). However, the manglillo host has a separate Prometheus instance o…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--fl-usf.png" alt="University of South Florida: Marine Lab JupyterHubs (auth-enforced) + Adjacent Prometheus `/metrics` Public" /></p> <p><strong>Sector:</strong> Universities</p> <p>USF College of Marine Science operates two JupyterHub instances on the marine.usf.edu subdomain: ocgmod1.marine.usf.edu (131.247.139.171:8000) and manglillo.marine.usf.edu (131.247.136.183:8000). Both correctly enforce authentication (/hub/api/info returns 403 &quot;Missing or invalid credentials&quot;). However, the manglillo host has a separate Prometheus instance o…</p> <p>USF College of Marine Science operates two JupyterHub instances on the marine.usf.edu subdomain: ocgmod1.marine.usf.edu (131.247.139.171:8000) and manglillo.marine.usf.edu (131.247.136.183:8000). Both correctly enforce authentication (/hub/api/info returns 403 &quot;Missing or invalid credentials&quot;). However, the manglillo host has a separate Prometheus instance on port 9090 with /metrics returning 90 KB of unauthenticated metric data — a co-located observability service exposed without auth alongside the auth-enforced JupyterHub.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--fl-usf/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--ga-georgia-state/https://nuclide-research.com/cases/case-studies--universities--us--ga-georgia-state/Georgia State University runs a Streamlit application at gluon.gsu.edu (131.96.55.92:8501). The Streamlit framework is confirmed via /stcore/health returning ok. The application title is the Streamlit default (<title>Streamlit</title> in the rendered HTML — no customization). Actual application content is served over Streamlit's WebSocket data channel; stati…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--ga-georgia-state.png" alt="Georgia State University: Streamlit app on `gluon.gsu.edu:8501` (framework confirmed; app content WebSocket-only)" /></p> <p><strong>Sector:</strong> Universities</p> <p>Georgia State University runs a Streamlit application at gluon.gsu.edu (131.96.55.92:8501). The Streamlit framework is confirmed via /stcore/health returning ok. The application title is the Streamlit default (&lt;title&gt;Streamlit&lt;/title&gt; in the rendered HTML — no customization). Actual application content is served over Streamlit&#39;s WebSocket data channel; stati…</p> <p>Georgia State University runs a Streamlit application at gluon.gsu.edu (131.96.55.92:8501). The Streamlit framework is confirmed via /stcore/health returning ok. The application title is the Streamlit default (&lt;title&gt;Streamlit&lt;/title&gt; in the rendered HTML — no customization). Actual application content is served over Streamlit&#39;s WebSocket data channel; static probes cannot enumerate the app&#39;s purpose without establishing an interactive session.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--ga-georgia-state/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--il-depaul/https://nuclide-research.com/cases/case-studies--universities--us--il-depaul/DePaul's institutional network surfaces 20+ hosts with port 3000 open when scoped via Shodan org:"DePaul University". Only 4 of these have HTTP title "Open WebUI"; the rest are student dev servers (React apps, project portfolios, course assignments). Of the 4 Open WebUI hosts, one was the original signup-open target captured during Stage-0 (lpc-eduroam-187-2…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--il-depaul.png" alt="DePaul University: Campus-Wide Port-3000 Population — Live Open WebUI Auth-On, DHCP-Rotated Hosts, Mixed Student Dev Work" /></p> <p><strong>Sector:</strong> Universities</p> <p>DePaul&#39;s institutional network surfaces 20+ hosts with port 3000 open when scoped via Shodan org:&quot;DePaul University&quot;. Only 4 of these have HTTP title &quot;Open WebUI&quot;; the rest are student dev servers (React apps, project portfolios, course assignments). Of the 4 Open WebUI hosts, one was the original signup-open target captured during Stage-0 (lpc-eduroam-187-2…</p> <p>DePaul&#39;s institutional network surfaces 20+ hosts with port 3000 open when scoped via Shodan org:&quot;DePaul University&quot;. Only 4 of these have HTTP title &quot;Open WebUI&quot;; the rest are student dev servers (React apps, project portfolios, course assignments). Of the 4 Open WebUI hosts, one was the original signup-open target captured during Stage-0 (lpc-eduroam-187-239.eduroam-employee.depaul.edu) — that hostname&#39;s DHCP-assigned IP has since rotated and the host is no longer reachable. Three other employee-network Open WebUI hosts are visible in Shodan; one (140.192.183.141) was verified at probe time as Open WebUI v0.4.7 with enablesignup: false (auth-on, NOT exploitable for takeover). Documents the DHCP-rotation operational pattern + the &quot;port 3000 ≠ Open WebUI&quot; false-positive class at the .edu institutional scope.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--il-depaul/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--il-uchicago/https://nuclide-research.com/cases/case-studies--universities--us--il-uchicago/The University of Chicago surfaces two distinct hosts in this survey: helabserver0.uchicago.edu running a Streamlit application on port 8501, and jupyterhub-dev.grid.uchicago.edu running JupyterHub on port 8000. The Streamlit host has framework-confirmed deployment with default title; the JupyterHub host returns HTTP 502 Bad Gateway, indicating the service i…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--il-uchicago.png" alt="University of Chicago: Two-Host Observation — Streamlit on `helabserver0` (auth-on framework) + JupyterHub on `jupyterhub-dev.grid` (502 Bad Gateway / degraded)" /></p> <p><strong>Sector:</strong> Universities</p> <p>The University of Chicago surfaces two distinct hosts in this survey: helabserver0.uchicago.edu running a Streamlit application on port 8501, and jupyterhub-dev.grid.uchicago.edu running JupyterHub on port 8000. The Streamlit host has framework-confirmed deployment with default title; the JupyterHub host returns HTTP 502 Bad Gateway, indicating the service i…</p> <p>The University of Chicago surfaces two distinct hosts in this survey: helabserver0.uchicago.edu running a Streamlit application on port 8501, and jupyterhub-dev.grid.uchicago.edu running JupyterHub on port 8000. The Streamlit host has framework-confirmed deployment with default title; the JupyterHub host returns HTTP 502 Bad Gateway, indicating the service is degraded / not serving requests.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--il-uchicago/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--md-umd-college-park/https://nuclide-research.com/cases/case-studies--universities--us--md-umd-college-park/University of Maryland College Park runs an Open WebUI instance at amorgos.umd.edu (128.8.235.4, Brookeville MD). /api/config returned enablesignup: true on Open WebUI v0.3.32 — class membership for signup-open OBSERVED. Version 0.3.32 is significantly older than the current Open WebUI release line; multiple disclosed advisories apply per the publicly-known…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--md-umd-college-park.png" alt="University of Maryland College Park: Open WebUI v0.3.32 on `amorgos.umd.edu` — `enable_signup:true` OBSERVED on Very-Old Version" /></p> <p><strong>Sector:</strong> Universities</p> <p>University of Maryland College Park runs an Open WebUI instance at amorgos.umd.edu (128.8.235.4, Brookeville MD). /api/config returned enablesignup: true on Open WebUI v0.3.32 — class membership for signup-open OBSERVED. Version 0.3.32 is significantly older than the current Open WebUI release line; multiple disclosed advisories apply per the publicly-known…</p> <p>University of Maryland College Park runs an Open WebUI instance at amorgos.umd.edu (128.8.235.4, Brookeville MD). /api/config returned enablesignup: true on Open WebUI v0.3.32 — class membership for signup-open OBSERVED. Version 0.3.32 is significantly older than the current Open WebUI release line; multiple disclosed advisories apply per the publicly-known version-vulnerability mapping. Apache 2.4.58 serving the Ubuntu default &quot;It works&quot; page is present on port 80 alongside the OW deployment on port 8080.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--md-umd-college-park/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--me-southern-maine/https://nuclide-research.com/cases/case-studies--universities--us--me-southern-maine/University of Southern Maine's CS department runs an 8-host JupyterHub fleet on the cs.usm.maine.edu subdomain, with hostnames following an entomology theme (wasp, earwig, locust, mosquito, ant, beetle) plus two computing-pioneer-named hosts (turing, pascal). All 8 hosts respond to /hub/api/info with HTTP 403 "Missing or invalid credentials" — JupyterHub aut…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--me-southern-maine.png" alt="University of Southern Maine: 8-Host JupyterHub Fleet on `cs.usm.maine.edu` — Entomology-Themed Research Cluster, All Auth-Enforced" /></p> <p><strong>Sector:</strong> Universities</p> <p>University of Southern Maine&#39;s CS department runs an 8-host JupyterHub fleet on the cs.usm.maine.edu subdomain, with hostnames following an entomology theme (wasp, earwig, locust, mosquito, ant, beetle) plus two computing-pioneer-named hosts (turing, pascal). All 8 hosts respond to /hub/api/info with HTTP 403 &quot;Missing or invalid credentials&quot; — JupyterHub aut…</p> <p>University of Southern Maine&#39;s CS department runs an 8-host JupyterHub fleet on the cs.usm.maine.edu subdomain, with hostnames following an entomology theme (wasp, earwig, locust, mosquito, ant, beetle) plus two computing-pioneer-named hosts (turing, pascal). All 8 hosts respond to /hub/api/info with HTTP 403 &quot;Missing or invalid credentials&quot; — JupyterHub authentication is correctly enforced fleet-wide. Documented here as an institutional-fleet entry: same operator, same configuration template, properly secured across the deployment.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--me-southern-maine/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--ny-cooper-union/https://nuclide-research.com/cases/case-studies--universities--us--ny-cooper-union/Cooper Union runs an Open WebUI instance at kahan.ee.cooper.edu (199.98.27.237). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backend enabled). Properly configured closed-enrollment deployment with directory integration. Documented as a wave-2 cohort entry — first privat…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--ny-cooper-union.png" alt="Cooper Union for the Advancement of Science and Art: Open WebUI v0.9.2 on `kahan.ee.cooper.edu` — Auth-On + LDAP" /></p> <p><strong>Sector:</strong> Universities</p> <p>Cooper Union runs an Open WebUI instance at kahan.ee.cooper.edu (199.98.27.237). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backend enabled). Properly configured closed-enrollment deployment with directory integration. Documented as a wave-2 cohort entry — first privat…</p> <p>Cooper Union runs an Open WebUI instance at kahan.ee.cooper.edu (199.98.27.237). /api/config returned Open WebUI v0.9.2 with enablesignup: false (auth-on; no signup-open class) and enableldap: true (LDAP federation backend enabled). Properly configured closed-enrollment deployment with directory integration. Documented as a wave-2 cohort entry — first private engineering school in the survey.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--ny-cooper-union/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--ny-cornell/https://nuclide-research.com/cases/case-studies--universities--us--ny-cornell/Cornell University runs an Open WebUI instance at onepl.aap.cornell.edu (128.253.41.30:3000). /api/config returned Open WebUI v0.6.14 with enablesignup: false (auth-on; no signup-open class) and enableapikey: true (post-authentication API key minting enabled). Properly configured for closed enrollment. Documented here as a wave-2 cohort entry: contrasts with…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--ny-cornell.png" alt="Cornell University: Open WebUI v0.6.14 on `onepl.aap.cornell.edu` — Auth-On + API Keys Enabled" /></p> <p><strong>Sector:</strong> Universities</p> <p>Cornell University runs an Open WebUI instance at onepl.aap.cornell.edu (128.253.41.30:3000). /api/config returned Open WebUI v0.6.14 with enablesignup: false (auth-on; no signup-open class) and enableapikey: true (post-authentication API key minting enabled). Properly configured for closed enrollment. Documented here as a wave-2 cohort entry: contrasts with…</p> <p>Cornell University runs an Open WebUI instance at onepl.aap.cornell.edu (128.253.41.30:3000). /api/config returned Open WebUI v0.6.14 with enablesignup: false (auth-on; no signup-open class) and enableapikey: true (post-authentication API key minting enabled). Properly configured for closed enrollment. Documented here as a wave-2 cohort entry: contrasts with wave-1 signup-open hosts.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--ny-cornell/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--universities--us--wa-uw/https://nuclide-research.com/cases/case-studies--universities--us--wa-uw/University of Washington's Civil Engineering department surfaces a Streamlit application at D4-084.ce.washington.edu (128.95.204.84:8501). Streamlit framework confirmed via /stcore/health returning ok. Hostname pattern (D4-084) suggests a numbered lab compute host in the CE department. App-level title is the Streamlit default; per restraint ethic, the WebSoc…Tue, 19 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--universities--us--wa-uw.png" alt="University of Washington: Streamlit app on `D4-084.ce.washington.edu:8501` (Civil Engineering dept; framework confirmed)" /></p> <p><strong>Sector:</strong> Universities</p> <p>University of Washington&#39;s Civil Engineering department surfaces a Streamlit application at D4-084.ce.washington.edu (128.95.204.84:8501). Streamlit framework confirmed via /stcore/health returning ok. Hostname pattern (D4-084) suggests a numbered lab compute host in the CE department. App-level title is the Streamlit default; per restraint ethic, the WebSoc…</p> <p>University of Washington&#39;s Civil Engineering department surfaces a Streamlit application at D4-084.ce.washington.edu (128.95.204.84:8501). Streamlit framework confirmed via /stcore/health returning ok. Hostname pattern (D4-084) suggests a numbered lab compute host in the CE department. App-level title is the Streamlit default; per restraint ethic, the WebSocket session that would reveal app content was not established.</p> <p><a href="https://nuclide-research.com/cases/case-studies--universities--us--wa-uw/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--tegrity-mhcampus-selfreg-2026-05-18/https://nuclide-research.com/cases/case-studies--commercial--tegrity-mhcampus-selfreg-2026-05-18/selfreg.tegrity.com, the production self-registration service for McGraw-Hill Campus, is failing at AppDomain initialization. The AWS SDK for .NET's credential provider chain exhausts because the host has no IAM credentials reachable (no instance profile, no env vars, no IMDS response). Every URL — including /robots.txt and /favicon.ico — returns the same 17…Mon, 18 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--tegrity-mhcampus-selfreg-2026-05-18.png" alt="Tegrity / McGraw-Hill Campus Self-Registration — ASP.NET YSOD + Service Outage" /></p> <p><strong>Sector:</strong> Commercial</p> <p>selfreg.tegrity.com, the production self-registration service for McGraw-Hill Campus, is failing at AppDomain initialization. The AWS SDK for .NET&#39;s credential provider chain exhausts because the host has no IAM credentials reachable (no instance profile, no env vars, no IMDS response). Every URL — including /robots.txt and /favicon.ico — returns the same 17…</p> <p>selfreg.tegrity.com, the production self-registration service for McGraw-Hill Campus, is failing at AppDomain initialization. The AWS SDK for .NET&#39;s credential provider chain exhausts because the host has no IAM credentials reachable (no instance profile, no env vars, no IMDS response). Every URL — including /robots.txt and /favicon.ico — returns the same 17,539-byte ASP.NET Yellow Screen of Death, byte-identical across all three ELB pool members.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--tegrity-mhcampus-selfreg-2026-05-18/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--adya-ai-vanijmcp-2026-05-17/https://nuclide-research.com/cases/case-studies--commercial--adya-ai-vanijmcp-2026-05-17/vanijmcp.adya.ai (20.198.18.237) is an Adya AI infrastructure host on Microsoft Azure India. It exposes seven services on different ports. The headline finding is on port 5005: a custom FastAPI service named "WandB Service" with embedded Weights & Biases credentials. Any internet client can query it and receive the operator's entire WandB workspace, includin…Sun, 17 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--adya-ai-vanijmcp-2026-05-17.png" alt="Adya AI: WandB workspace exfil via unauth FastAPI proxy (vanijmcp.adya.ai)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>vanijmcp.adya.ai (20.198.18.237) is an Adya AI infrastructure host on Microsoft Azure India. It exposes seven services on different ports. The headline finding is on port 5005: a custom FastAPI service named &quot;WandB Service&quot; with embedded Weights &amp; Biases credentials. Any internet client can query it and receive the operator&#39;s entire WandB workspace, includin…</p> <p>vanijmcp.adya.ai (20.198.18.237) is an Adya AI infrastructure host on Microsoft Azure India. It exposes seven services on different ports. The headline finding is on port 5005: a custom FastAPI service named &quot;WandB Service&quot; with embedded Weights &amp; Biases credentials. Any internet client can query it and receive the operator&#39;s entire WandB workspace, including project metadata, training runs, configs, summaries, full training-history time series, and logged-artifact metadata.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--adya-ai-vanijmcp-2026-05-17/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--multi-cross-survey-stacked-catastrophe-2026-05-16/https://nuclide-research.com/cases/case-studies--commercial--multi-cross-survey-stacked-catastrophe-2026-05-16/A multi-tenant Chinese hospital AI assistant is running on a single Chinese-cloud-hosted IP with every layer of its AI stack reachable from the public internet without authentication. The chatbot's RAG (retrieval-augmented generation) backend stores patient records in a vector database whose collection names alone disclose what's inside: prescriptions, surgi…Sat, 16 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--multi-cross-survey-stacked-catastrophe-2026-05-16.png" alt="Hospital&#39;s AI chatbot exposes 270,000+ patient records" /></p> <p><strong>Sector:</strong> Commercial</p> <p>A multi-tenant Chinese hospital AI assistant is running on a single Chinese-cloud-hosted IP with every layer of its AI stack reachable from the public internet without authentication. The chatbot&#39;s RAG (retrieval-augmented generation) backend stores patient records in a vector database whose collection names alone disclose what&#39;s inside: prescriptions, surgi…</p> <p>A multi-tenant Chinese hospital AI assistant is running on a single Chinese-cloud-hosted IP with every layer of its AI stack reachable from the public internet without authentication. The chatbot&#39;s RAG (retrieval-augmented generation) backend stores patient records in a vector database whose collection names alone disclose what&#39;s inside: prescriptions, surgical history, inpatient and outpatient visits, billing, diagnoses, doctor names, patient names. The Elasticsearch index holding the RAG document chunks contains 214,597 entity-vector documents and 55,807 source-text chunks.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--multi-cross-survey-stacked-catastrophe-2026-05-16/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--alpha-miner-194-233-71-223-2026-05-15/https://nuclide-research.com/cases/case-studies--commercial--alpha-miner-194-233-71-223-2026-05-15/- IP: 194.233.71.223 - rDNS: vmi2733226.contaboserver.net - ASN: AS141995 Contabo Asia Private Limited - Location: Singapore (Contabo Asia Pte Ltd, 8 Robinson Road / International Plaza) - WHOIS abuse: abuse@contabo.de - Passive DNS (HackerTarget) cluster on same IP: - aceservice.store - ackeliling.store (Bahasa Indonesia: "AC keliling" = mobile AC servi…Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--alpha-miner-194-233-71-223-2026-05-15.png" alt="alpha_miner Job Scheduler: 194.233.71.223 (Contabo SG)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>- IP: 194.233.71.223 - rDNS: vmi2733226.contaboserver.net - ASN: AS141995 Contabo Asia Private Limited - Location: Singapore (Contabo Asia Pte Ltd, 8 Robinson Road / International Plaza) - WHOIS abuse: abuse@contabo.de - Passive DNS (HackerTarget) cluster on same IP: - aceservice.store - ackeliling.store (Bahasa Indonesia: &quot;AC keliling&quot; = mobile AC servi…</p> <p>- IP: 194.233.71.223 - rDNS: vmi2733226.contaboserver.net - ASN: AS141995 Contabo Asia Private Limited - Location: Singapore (Contabo Asia Pte Ltd, 8 Robinson Road / International Plaza) - WHOIS abuse: abuse@contabo.de - Passive DNS (HackerTarget) cluster on same IP: - aceservice.store - ackeliling.store (Bahasa Indonesia: &quot;AC keliling&quot; = mobile AC service) - jasatukangac.store (&quot;jasa tukang AC&quot; = AC repairman service) - liangserviceac.store - warungngopi.xyz (&quot;warung ngopi&quot; = coffee stall)</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--alpha-miner-194-233-71-223-2026-05-15/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--llamaindex-chat-23-239-19-219-2026-05-15/https://nuclide-research.com/cases/case-studies--commercial--llamaindex-chat-23-239-19-219-2026-05-15/23.239.19.219. Linode US datacenter (Akamai AS), 23.239.0.0/19, rDNS 23-239-19-219.ip.linodeusercontent.com. Linode shared-allocation, neighbor at .217 is harperdbcloud.com. No AS63949 honeypot salt match. Verdict "no honeypot signals" per aimap-profile.Fri, 15 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--llamaindex-chat-23-239-19-219-2026-05-15.png" alt="23.239.19.219: Exposed LlamaIndex Chat with Broken Backend, Multi-Tenant SNI Co-Tenancy" /></p> <p><strong>Sector:</strong> Commercial</p> <p>23.239.19.219. Linode US datacenter (Akamai AS), 23.239.0.0/19, rDNS 23-239-19-219.ip.linodeusercontent.com. Linode shared-allocation, neighbor at .217 is harperdbcloud.com. No AS63949 honeypot salt match. Verdict &quot;no honeypot signals&quot; per aimap-profile.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--llamaindex-chat-23-239-19-219-2026-05-15/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--smartshop-ai-pentech-disclosure-2026-05-13/https://nuclide-research.com/cases/case-studies--commercial--smartshop-ai-pentech-disclosure-2026-05-13/NuClide Research · 2026-05-13Wed, 13 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--smartshop-ai-pentech-disclosure-2026-05-13.png" alt="SmartShop AI / amazonrec.space: Multi-service ML pipeline exposure on a single PENTECH host" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-13</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--smartshop-ai-pentech-disclosure-2026-05-13/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--ar-reputacion-digital-multi-surface-2026-05-10/https://nuclide-research.com/cases/case-studies--commercial--ar-reputacion-digital-multi-surface-2026-05-10/NuClide Research · 2026-05-10Sun, 10 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--ar-reputacion-digital-multi-surface-2026-05-10.png" alt="reputacion.digital: Multi-surface chained exposure (Phoenix + NFS + Prometheus + dev SMTP)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-10</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--ar-reputacion-digital-multi-surface-2026-05-10/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--couchdb-telecom-consent-rce-2026-05-09/https://nuclide-research.com/cases/case-studies--commercial--couchdb-telecom-consent-rce-2026-05-09/Unauth CouchDB 2.3.1 on Microsoft Azure (Pune, India) hosting Airtel + Tata telecom consent management infrastructure. 7.1M consent records, 244M subscriber preferences with MSISDN phone numbers. Instance has been actively exploited via CVE-2022-24706. 9 attack design documents present including a live reverse shell beacon to 57.131.25.205:4444 (OVH Roubaix,…Sat, 09 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--couchdb-telecom-consent-rce-2026-05-09.png" alt="CouchDB Telecom Consent Platform: Active RCE + 244M Subscriber Records" /></p> <p><strong>Sector:</strong> Commercial</p> <p>Unauth CouchDB 2.3.1 on Microsoft Azure (Pune, India) hosting Airtel + Tata telecom consent management infrastructure. 7.1M consent records, 244M subscriber preferences with MSISDN phone numbers. Instance has been actively exploited via CVE-2022-24706. 9 attack design documents present including a live reverse shell beacon to 57.131.25.205:4444 (OVH Roubaix,…</p> <p>Unauth CouchDB 2.3.1 on Microsoft Azure (Pune, India) hosting Airtel + Tata telecom consent management infrastructure. 7.1M consent records, 244M subscriber preferences with MSISDN phone numbers. Instance has been actively exploited via CVE-2022-24706. 9 attack design documents present including a live reverse shell beacon to 57.131.25.205:4444 (OVH Roubaix, France).</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--couchdb-telecom-consent-rce-2026-05-09/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--nats-jetstream-paramwallet-ledger-2026-05-09/https://nuclide-research.com/cases/case-studies--commercial--nats-jetstream-paramwallet-ledger-2026-05-09/141.148.212.34 (Oracle Cloud Mumbai). Production NATS JetStream cluster running an AI document-processing pipeline coupled to a private blockchain ledger. NATS protocol port 4222 advertises no auth requirement; unauthenticated clients can list streams, read all message contents, and publish to any subject. Workspace hil-taloja (likely Hindustan Infrastructur…Sat, 09 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--nats-jetstream-paramwallet-ledger-2026-05-09.png" alt="NATS JetStream: ParamWallet Production Ledger + AI Pipeline (Open Pub/Sub)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>141.148.212.34 (Oracle Cloud Mumbai). Production NATS JetStream cluster running an AI document-processing pipeline coupled to a private blockchain ledger. NATS protocol port 4222 advertises no auth requirement; unauthenticated clients can list streams, read all message contents, and publish to any subject. Workspace hil-taloja (likely Hindustan Infrastructur…</p> <p>141.148.212.34 (Oracle Cloud Mumbai). Production NATS JetStream cluster running an AI document-processing pipeline coupled to a private blockchain ledger. NATS protocol port 4222 advertises no auth requirement; unauthenticated clients can list streams, read all message contents, and publish to any subject. Workspace hil-taloja (likely Hindustan Infrastructure Ltd. Taloja, Mumbai industrial area). TLS cert .paramwallet.com ties the host to ParamWallet, a fintech wallet/payment platform. AI pipeline (AITASKS, DOCUMENTS) feeds a smart-contract gateway (GATEWAY, TRANSACTIONS, LEDGERNODES, OFFCHAIN). An attacker on the open NATS port can inject ledger transactions, poison AI classifications, and alter document state-machine transitions.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--nats-jetstream-paramwallet-ledger-2026-05-09/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--anduril-lattice-dev-infrastructure-2026-05-08/https://nuclide-research.com/cases/case-studies--commercial--anduril-lattice-dev-infrastructure-2026-05-08/NuClide Research · 2026-05-08 (sent 2026-05-09)Fri, 08 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--anduril-lattice-dev-infrastructure-2026-05-08.png" alt="Anduril Industries, Lattice Monitoring Plane (Telefonica ARO Grafana), Disclosure Sent, Awaiting Acknowledgment" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-08 (sent 2026-05-09)</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--anduril-lattice-dev-infrastructure-2026-05-08/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vendor-ollama-launch-claude-desktop-2026-05-07/https://nuclide-research.com/cases/case-studies--commercial--vendor-ollama-launch-claude-desktop-2026-05-07/NuClide Research, 2026-05-07Thu, 07 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vendor-ollama-launch-claude-desktop-2026-05-07.png" alt="ollama launch claude-desktop: Gateway-mode MITM by default + community-tutorial typosquat surface" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research, 2026-05-07</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vendor-ollama-launch-claude-desktop-2026-05-07/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vendor-template-adjacent-sweep-2026-05-07/https://nuclide-research.com/cases/case-studies--commercial--vendor-template-adjacent-sweep-2026-05-07/NuClide Research, 2026-05-07Thu, 07 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vendor-template-adjacent-sweep-2026-05-07.png" alt="Vendor-template adjacent-vendor sweep, planning doc + Shodan dork catalog (2026-05-07)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research, 2026-05-07</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vendor-template-adjacent-sweep-2026-05-07/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--hetzner-65-108-litellm-runpod-2026-05-06/https://nuclide-research.com/cases/case-studies--commercial--hetzner-65-108-litellm-runpod-2026-05-06/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--hetzner-65-108-litellm-runpod-2026-05-06.png" alt="Hetzner LiteLLM proxy fronting Ollama-cpu + 4 RunPod GPU pods, fully unauth (65.108.197.157)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--hetzner-65-108-litellm-runpod-2026-05-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--multi-aipod-mlflow-cve-2026-05-06/https://nuclide-research.com/cases/case-studies--commercial--multi-aipod-mlflow-cve-2026-05-06/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--multi-aipod-mlflow-cve-2026-05-06.png" alt="AIPOD orthodontic AI MLflow + Label Studio + S3 stack, CVE-2023-1177 actively-exploited (138.197.152.103)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--multi-aipod-mlflow-cve-2026-05-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--multi-hilix-jupyter-campaign-2026-05-06/https://nuclide-research.com/cases/case-studies--commercial--multi-hilix-jupyter-campaign-2026-05-06/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--multi-hilix-jupyter-campaign-2026-05-06.png" alt="Hilix-class botnet campaign, multi-victim Jupyter-targeted operation (Ulm Cortical Labs + Tencent OpenClaw)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--multi-hilix-jupyter-campaign-2026-05-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--multi-pediatric-mlflow-metabase-setup-2026-05-06/https://nuclide-research.com/cases/case-studies--commercial--multi-pediatric-mlflow-metabase-setup-2026-05-06/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--multi-pediatric-mlflow-metabase-setup-2026-05-06.png" alt="Pediatric medical ML operator, 224 unauth MLflow experiments + Metabase setup-token unclaimed (65.109.36.121)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--multi-pediatric-mlflow-metabase-setup-2026-05-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--multi-squeeze-helios-trading-2026-05-06/https://nuclide-research.com/cases/case-studies--commercial--multi-squeeze-helios-trading-2026-05-06/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--multi-squeeze-helios-trading-2026-05-06.png" alt="Squeeze/Helios short-squeeze trading platform, full architecture leaked + MLflow CVE-2023-1177 actively exploited (159.203.110.202)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--multi-squeeze-helios-trading-2026-05-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--multi-triton-chat-safety-2026-05-06/https://nuclide-research.com/cases/case-studies--commercial--multi-triton-chat-safety-2026-05-06/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--multi-triton-chat-safety-2026-05-06.png" alt="Triton chat-safety pipeline, minor-detection classifier still live (159.203.42.211 + 178.62.225.198)" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--multi-triton-chat-safety-2026-05-06/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial--vendor-template-default-no-auth-research-instruments/https://nuclide-research.com/cases/case-studies--commercial--vendor-template-default-no-auth-research-instruments/NuClide Research · 2026-05-06Wed, 06 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial--vendor-template-default-no-auth-research-instruments.png" alt="Vendor-template default-no-auth on research-instrument web stacks, pattern recognition + fleet-audit roadmap" /></p> <p><strong>Sector:</strong> Commercial</p> <p>NuClide Research · 2026-05-06</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial--vendor-template-default-no-auth-research-instruments/">Read the engagement record →</a></p>https://nuclide-research.com/cases/case-studies--commercial/https://nuclide-research.com/cases/case-studies--commercial/Commercial / SaaS Ollama and AI infrastructure exposures discovered during OSINT sweeps. These differ from university and research-network exposures in that the operators are commercial entities with paying customers and PII pipelines.Mon, 04 May 2026 00:00:00 GMT<p><img src="https://nuclide-research.com/og/cases/case-studies--commercial.png" alt="Commercial AI Infrastructure Exposures" /></p> <p><strong>Sector:</strong> Other</p> <p>Commercial / SaaS Ollama and AI infrastructure exposures discovered during OSINT sweeps. These differ from university and research-network exposures in that the operators are commercial entities with paying customers and PII pipelines.</p> <p><a href="https://nuclide-research.com/cases/case-studies--commercial/">Read the engagement record →</a></p>