Cybernews researchers have tracked a malicious campaign targeting OpenWebUI, a widely used interface that lets people interact with large language models such as ChatGPT or locally hosted models like Ollama through a web dashboard.
Key Findings
Researchers found 98 OpenWebUI instances where authentication was turned off entirely and over 2,000 servers that allowed anyone to register an account.
A malware operation has been hijacking AI servers to mine cryptocurrency and steal sensitive credentials.
The team has tracked 14 different versions of the malware, all from the same source, with more likely undiscovered.
Around half of the servers detected as missing authentication were compromised — 45 out of 98. A further 33 were experiencing configuration conflicts and system errors, with only 11 functioning properly without indicators of compromise.
How the Malware Works
The malicious scripts use a simple but effective obfuscation technique. The code repeatedly reverses byte sequences, decodes Base64 data, and decompresses it with Zlib until the real payload appears. Once unpacked, it installs a double-threat combination of cryptocurrency miners and infostealers to scavenge for system credentials.
The malware also uses Discord webhooks to notify the attacker every time a new server is compromised.
Vulnerabilities Discovered
During the investigation, the research team found two information disclosure vulnerabilities in OpenWebUI due to a lack of access controls for undocumented API routes. These could have allowed threat actors to discover and target vulnerable and misconfigured OpenWebUI servers.
The team reached out to OpenWebUI Inc. to disclose the vulnerabilities, but the report was closed without a response.
