Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers
Key Takeaways Threat actors are conducting widespread internet scans targeting AI-related services, including Model Context Protocol (MCP) servers, AI assistant configuration files, and exposed local...
Key Takeaways
- Threat actors are conducting widespread internet scans targeting AI-related services, including Model Context Protocol (MCP) servers, AI assistant configuration files, and exposed local language model endpoints.
- The scanning activity is broad, suggesting reconnaissance for vulnerable deployments at scale rather than targeted attacks.
- Attackers are using sophisticated methods, such as valid MCP initialization requests and server-side request forgery (SSRF) attempts against cloud metadata services.
- Exposed MCP servers can provide attackers with a detailed map of an AI agent’s access to internal systems and data.
- Organizations should implement strong authentication, restrict public internet access to AI services, and review web server configurations to prevent accidental exposure of sensitive files.
Widespread Scans Target AI Infrastructure
Opportunistic attackers are increasingly focusing on internet-facing Artificial Intelligence (AI) systems. Recent observations reveal a surge in scanning activity by threat actors actively seeking vulnerable Model Context Protocol (MCP) servers, sensitive AI assistant configuration files, and inadvertently exposed local language model services.
Table Of Content
This reconnaissance effort was detected across a variety of low-traffic websites that did not appear to host dedicated AI infrastructure. This suggests a broad, indiscriminate search for weaknesses, indicating a generalized campaign rather than a highly targeted attack against specific organizations or developers.
Analysts at the Internet Storm Center said in a report that their review of two weeks of Apache and ModSecurity logs from a small web host uncovered approximately 200 requests related to AI-agent reconnaissance. These included MCP handshake probes originating from 49 distinct IP addresses. This activity highlights a growing security challenge for AI deployments. Developers may unintentionally expose MCP services, leave AI assistant settings in publicly accessible web directories, or make local models reachable from the internet, unaware that attackers are already probing for these misconfigurations.
Sophisticated MCP Server Probes
A significant aspect of the observed activity is the use of valid MCP initialization requests, rather than simple existence checks. Instead of merely verifying if a web address exists, the scanners sent properly formatted JSON-RPC messages designed to initiate an MCP conversation. This sophisticated approach allows attackers to determine if a reachable service genuinely functions as an MCP server. If a server responds, the next step in an attack could involve identifying available tools, connected data sources, and the specific actions that the AI agent is authorized to perform.
MCP servers can grant AI agents access to critical resources such as databases, internal APIs, file systems, and ticketing tools. An unauthenticated or exposed MCP server can effectively provide external malicious actors with a machine-readable blueprint of the services and data the AI agent can access. The distributed nature of these probes, originating from numerous IP addresses, further reinforces the conclusion that this is a large-scale scanning operation aimed at discovering vulnerable deployments across the internet.
Credentials and Models at Risk
The same scanning campaigns also targeted files associated with AI coding assistants. This includes configuration and credential files that developers might inadvertently place within a deployed web directory. Such files can contain critical connection details, service settings, and potentially valuable secrets that could be exploited by attackers.
The use of lightweight existence checks for credential-related files indicates that the attackers are optimizing their scans for efficiency across a vast number of targets. Rather than attempting to download every file immediately, they first confirm the presence of a potentially useful resource. Researchers also observed persistent attempts to locate unauthenticated model-serving interfaces. A publicly accessible model endpoint could provide an attacker with unauthorized access to computing resources, reveal the installed models, or serve as an initial foothold for deeper infiltration into the environment.
These scans were also accompanied by attempts to exploit server-side request forgery (SSRF) vulnerabilities against cloud metadata services. SSRF is particularly relevant to AI tools, as many AI agents and helper services often incorporate features that retrieve content from user-provided URLs.
Indicators of Compromise (IoCs)
The following indicators of compromise were identified:
| Type | Indicator | Description |
|---|---|---|
| MCP endpoint | POST /mcp |
MCP JSON-RPC initialization probe |
| MCP transport | GET /sse |
Server-Sent Events transport probe |
| AI assistant config file | .claudemcp.json |
Claude MCP client configuration file |
| AI assistant config file | .cursormcp.json |
Cursor MCP client configuration file |
| AI assistant config file | .cursormcpconfig.json |
Cursor MCP configuration file |
| AI assistant config file | .vscodemcp.json |
Visual Studio Code MCP configuration file |
| MCP config file | .mcpconfig.json |
Project or editor MCP configuration file |
| AI assistant settings file | .claudesettings.local.json |
Claude local settings file |
| AI credential file | .claude.credentials.json |
Claude credential file |
| AI credential file | .configclaude.credentials.json |
Claude credential-related file probe |
| LLM endpoint | GET /v1/models |
OpenAI-compatible model-listing endpoint |
| LLM endpoint | GET /api/tags |
Ollama model-listing endpoint |
| SSRF probe | fetch?url=http://metadata.google.internal/...token |
Cloud metadata token theft attempt |
| SSRF probe | fetch?uri=http://metadata.google.internal/...token |
Cloud metadata token theft attempt |
| SSRF probe | fetch?path=http://metadata.google.internal/...token |
Cloud metadata token theft attempt |
| SSRF probe | fetch?dest=http://metadata.google.internal/...token |
Cloud metadata token theft attempt |
| Cloud metadata host | metadata.google.internal |
Google Cloud metadata service target |
| Cloud metadata IP | 169.254.169.254 |
Link-local cloud metadata service address |
| Kubernetes token path | var/run/secrets/.../serviceaccount/token |
Kubernetes service-account token target |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
What You Should Do
- Proactively review access logs on public-facing systems for any suspicious MCP traffic.
- If your systems do not utilize MCP, treat any such requests as malicious reconnaissance and block them at the network perimeter or via web application firewalls.
- For organizations operating MCP servers, ensure that they are protected by robust authentication mechanisms and are not directly accessible from the public internet unless absolutely necessary. Implement strict network access controls to minimize exposure.
- Conduct external vulnerability assessments to verify that AI-related configuration and credential files are not inadvertently exposed by web servers.
- Thoroughly audit all URL-fetching functions within AI applications and helper services for protections against internal and cloud-metadata service destinations to prevent SSRF attacks.
- In cloud environments, enforce available metadata-service protections, such as GCP header enforcement and AWS IMDSv2, to mitigate the risk of credential theft via SSRF.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.