An AWS server acting as an AI gateway to Amazon Bedrock was compromised and used to mine cryptocurrency, cybersecurity researchers have found. The server was running LiteLLM, a widely used proxy for routing traffic to cloud AI model services.
On Jun. 12, Darktrace observed the instance, named LiteLLM-Proxy, reaching out repeatedly to known cryptomining infrastructure after downloading XMRig, a common mining tool. The company said it detected and escalated the activity through its managed threat detection service before the host was shut down.
What made it notable was the asset. The server held the permissions needed to broker access to Amazon’s foundation-model services, concentrating cloud credentials, model access, and application workflows into one control point.
Darktrace found the instance had left SSH, the standard remote-administration channel, open to the entire internet, and saw a heavy volume of inbound login attempts consistent with brute-forcing.
The telemetry could not confirm a successful login, so the company stopped short of naming SSH as the proven entry point, but the combination of open exposure and the miner that followed made it the plausible path.
An AI Gateway Is Still a Cloud Asset
Darktrace was clear about what it did not find: no evidence tying the incident to any of the publicly disclosed LiteLLM vulnerabilities that have drawn attacker attention to the software in recent months. This was a familiar cloud compromise, exposed service to brute force to resource abuse, that happened to land on an AI-serving host.
A day later, the investigation surfaced separate suspicious activity from a different cloud identity, using a long-term access key from an unusual location to enumerate Bedrock models and attempt to create a new user account, a possible bid for persistence.
Darktrace found insufficient evidence to link it conclusively to the mining incident, but flagged it as possible credential misuse worth investigating on its own.
“Even without a confirmed link between the two incidents, the IAM activity remains significant. It demonstrates the importance of incorporating both [workload telemetry and control-plane telemetry] into cloud compromise investigations,” the company noted.
It echoes recent research showing how a privileged AI-connected environment in AWS can be turned against its owner, the kind of exposure attackers increasingly probe for.