Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
macOS Stealer Masquerades as Crash Reports to Steal Browser Data
July 13, 2026
Turla Hackers Exploit Critical SharePoint Flaw to Access French Accounts
July 13, 2026
Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers
July 13, 2026
Home/Threats/Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers
Threats

Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers

Key Takeaways Threat actors are conducting widespread internet scans targeting AI-related services, including Model Context Protocol (MCP) servers, AI assistant configuration files, and exposed local...

Marcus Rodriguez
Marcus Rodriguez
July 13, 2026 4 Min Read
4 0

Key Takeaways

  • Threat actors are conducting widespread internet scans targeting AI-related services, including Model Context Protocol (MCP) servers, AI assistant configuration files, and exposed local language model endpoints.
  • The scanning activity is broad, suggesting reconnaissance for vulnerable deployments at scale rather than targeted attacks.
  • Attackers are using sophisticated methods, such as valid MCP initialization requests and server-side request forgery (SSRF) attempts against cloud metadata services.
  • Exposed MCP servers can provide attackers with a detailed map of an AI agent’s access to internal systems and data.
  • Organizations should implement strong authentication, restrict public internet access to AI services, and review web server configurations to prevent accidental exposure of sensitive files.

Widespread Scans Target AI Infrastructure

Opportunistic attackers are increasingly focusing on internet-facing Artificial Intelligence (AI) systems. Recent observations reveal a surge in scanning activity by threat actors actively seeking vulnerable Model Context Protocol (MCP) servers, sensitive AI assistant configuration files, and inadvertently exposed local language model services.

Table Of Content

  • Key Takeaways
  • Widespread Scans Target AI Infrastructure
  • Sophisticated MCP Server Probes
  • Credentials and Models at Risk
  • Indicators of Compromise (IoCs)
  • What You Should Do

This reconnaissance effort was detected across a variety of low-traffic websites that did not appear to host dedicated AI infrastructure. This suggests a broad, indiscriminate search for weaknesses, indicating a generalized campaign rather than a highly targeted attack against specific organizations or developers.

Analysts at the Internet Storm Center said in a report that their review of two weeks of Apache and ModSecurity logs from a small web host uncovered approximately 200 requests related to AI-agent reconnaissance. These included MCP handshake probes originating from 49 distinct IP addresses. This activity highlights a growing security challenge for AI deployments. Developers may unintentionally expose MCP services, leave AI assistant settings in publicly accessible web directories, or make local models reachable from the internet, unaware that attackers are already probing for these misconfigurations.

Sophisticated MCP Server Probes

A significant aspect of the observed activity is the use of valid MCP initialization requests, rather than simple existence checks. Instead of merely verifying if a web address exists, the scanners sent properly formatted JSON-RPC messages designed to initiate an MCP conversation. This sophisticated approach allows attackers to determine if a reachable service genuinely functions as an MCP server. If a server responds, the next step in an attack could involve identifying available tools, connected data sources, and the specific actions that the AI agent is authorized to perform.

MCP servers can grant AI agents access to critical resources such as databases, internal APIs, file systems, and ticketing tools. An unauthenticated or exposed MCP server can effectively provide external malicious actors with a machine-readable blueprint of the services and data the AI agent can access. The distributed nature of these probes, originating from numerous IP addresses, further reinforces the conclusion that this is a large-scale scanning operation aimed at discovering vulnerable deployments across the internet.

Credentials and Models at Risk

The same scanning campaigns also targeted files associated with AI coding assistants. This includes configuration and credential files that developers might inadvertently place within a deployed web directory. Such files can contain critical connection details, service settings, and potentially valuable secrets that could be exploited by attackers.

The use of lightweight existence checks for credential-related files indicates that the attackers are optimizing their scans for efficiency across a vast number of targets. Rather than attempting to download every file immediately, they first confirm the presence of a potentially useful resource. Researchers also observed persistent attempts to locate unauthenticated model-serving interfaces. A publicly accessible model endpoint could provide an attacker with unauthorized access to computing resources, reveal the installed models, or serve as an initial foothold for deeper infiltration into the environment.

These scans were also accompanied by attempts to exploit server-side request forgery (SSRF) vulnerabilities against cloud metadata services. SSRF is particularly relevant to AI tools, as many AI agents and helper services often incorporate features that retrieve content from user-provided URLs.

Indicators of Compromise (IoCs)

The following indicators of compromise were identified:

Type Indicator Description
MCP endpoint POST /mcp MCP JSON-RPC initialization probe
MCP transport GET /sse Server-Sent Events transport probe
AI assistant config file .claudemcp.json Claude MCP client configuration file
AI assistant config file .cursormcp.json Cursor MCP client configuration file
AI assistant config file .cursormcpconfig.json Cursor MCP configuration file
AI assistant config file .vscodemcp.json Visual Studio Code MCP configuration file
MCP config file .mcpconfig.json Project or editor MCP configuration file
AI assistant settings file .claudesettings.local.json Claude local settings file
AI credential file .claude.credentials.json Claude credential file
AI credential file .configclaude.credentials.json Claude credential-related file probe
LLM endpoint GET /v1/models OpenAI-compatible model-listing endpoint
LLM endpoint GET /api/tags Ollama model-listing endpoint
SSRF probe fetch?url=http://metadata.google.internal/...token Cloud metadata token theft attempt
SSRF probe fetch?uri=http://metadata.google.internal/...token Cloud metadata token theft attempt
SSRF probe fetch?path=http://metadata.google.internal/...token Cloud metadata token theft attempt
SSRF probe fetch?dest=http://metadata.google.internal/...token Cloud metadata token theft attempt
Cloud metadata host metadata.google.internal Google Cloud metadata service target
Cloud metadata IP 169.254.169.254 Link-local cloud metadata service address
Kubernetes token path var/run/secrets/.../serviceaccount/token Kubernetes service-account token target

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Proactively review access logs on public-facing systems for any suspicious MCP traffic.
  • If your systems do not utilize MCP, treat any such requests as malicious reconnaissance and block them at the network perimeter or via web application firewalls.
  • For organizations operating MCP servers, ensure that they are protected by robust authentication mechanisms and are not directly accessible from the public internet unless absolutely necessary. Implement strict network access controls to minimize exposure.
  • Conduct external vulnerability assessments to verify that AI-related configuration and credential files are not inadvertently exposed by web servers.
  • Thoroughly audit all URL-fetching functions within AI applications and helper services for protections against internal and cloud-metadata service destinations to prevent SSRF attacks.
  • In cloud environments, enforce available metadata-service protections, such as GCP header enforcement and AWS IMDSv2, to mitigate the risk of credential theft via SSRF.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

NSA Warns of Russian Hacking Exploiting Cisco Smart Install Vulnerability

Next Post

Turla Hackers Exploit Critical SharePoint Flaw to Access French Accounts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Debian 13 Trixie Released With Security Updates
July 13, 2026
iPhone, MacBook Forensics Expose £113,000 Property Fraud
July 13, 2026
CISA warns of Joomla iCagenda, Balbooa flaws exploited in attacks
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us