A malware operation has been exploiting misconfigured OpenWebUI instances, the popular open-source interface for interacting with large language models, to install cryptocurrency miners and credential-stealing software on compromised servers.
Cybernews researchers tracked the campaign and found 98 OpenWebUI instances running with authentication disabled entirely, plus over 2,000 servers that allowed open registration. Of the 98 unauthenticated instances, roughly half (45) showed signs of compromise. Another 33 were experiencing configuration errors, and only 11 appeared to be functioning without indicators of compromise.
Layered obfuscation
The research team identified 14 distinct versions of the malware, all from the same source, and considers it highly likely that additional variants exist. The malicious scripts used layered obfuscation, repeatedly reversing byte sequences, decoding Base64 data, and decompressing with Zlib until the actual payload emerged. Once unpacked, the malware installed both a cryptocurrency miner and an infostealer to harvest system credentials. It used Discord webhooks to notify the attacker each time a new server fell.
Undocumented API vulnerabilities
During the investigation, the researchers also found two information disclosure vulnerabilities in OpenWebUI itself: undocumented API routes at /api/config and /api/version that lacked access controls. These could have helped attackers discover and target vulnerable servers.
Cybernews said it contacted OpenWebUI Inc. to disclose the vulnerabilities, but the report was closed without a response.
