Anatomy of an LLMjacking worm
Anatomy of an “LLMjacking” worm: how an exposed LiteLLM proxy got my server cryptojacked — and how to check if you’re exposed Published June 2026. A first-hand incident writeup. Victim host details are redacted; attacker indicators (IOCs) are shared in full so others can detect and block them. TL;DR I run a small fleet of services on a single Ubuntu VPS. I had three LiteLLM proxy containers exposed to the internet on 0.0.0.0:4000-4002 with no authentication (no LITELLM_MASTER_KEY). An automated worm found them, used the open proxy to get code execution as root inside the container, and dropped a cryptojacking + credential-stealing kit: an XMRig-class miner (~170% CPU), a self-spreading internet scanner, a fake-sshd backdoor, a watchdog, and — the modern twist — a fake MCP / JSON-RPC “credential stealer” that specifically hunts for LLM API keys (sk-ant-…, sk-proj-…, OpenAI/Anthropic/Google/Groq/OpenRouter) alongside cloud and SSH secrets. This is “LLMjacking”: stealing AI inference credentials to resell, layered on classic cryptomining. It’s a fast-growing 2025-2026 campaign class that targets exposed AI infrastructure (LiteLLM, Ollama, Ray, ComfyUI…). The single root cause: an unauthenticated service on 0.0.0.0. Everything else followed from that. This post explains the full chain, lists the IOCs, and gives you a copy-paste prompt to point a coding agent at your own box to check and fix it. How I found it The tell was sustained high load — a load average of 6-14 on a 4-core box, with the CPU pegged and nothing legitimate to explain it. top showed a process called .ssh-keyd-47945 burning ~172% CPU. That “ssh key daemon” does not exist. It was an XMRig-class Monero miner wearing a disguise. ...