Amazon Bedrock AI Gateway Compromised By Cryptomining Malware 

An exposed cloud server acting as a LiteLLM proxy to Amazon Bedrock was compromised and used to mine cryptocurrency.

Published on Jul 9, 2026
Amazon Bedrock AI Gateway Compromised By Cryptomining Malware 

An AWS server acting as an AI gateway to Amazon Bedrock was compromised and used to mine cryptocurrency, cybersecurity researchers  have found. The server was running LiteLLM, a widely used proxy for routing traffic to cloud AI model services.

On Jun. 12, Darktrace observed the instance, named LiteLLM-Proxy, reaching out repeatedly to known cryptomining infrastructure after downloading XMRig, a common mining tool. The company said it detected and escalated the activity through its managed threat detection service before the host was shut down.

What made it notable was the asset. The server held the permissions needed to broker access to Amazon’s foundation-model services, concentrating cloud credentials, model access, and application workflows into one control point. 

Darktrace found the instance had left SSH, the standard remote-administration channel, open to the entire internet, and saw a heavy volume of inbound login attempts consistent with brute-forcing.

The telemetry could not confirm a successful login, so the company stopped short of naming SSH as the proven entry point, but the combination of open exposure and the miner that followed made it the plausible path.

An AI Gateway Is Still a Cloud Asset

Darktrace was clear about what it did not find: no evidence tying the incident to any of the publicly disclosed LiteLLM vulnerabilities that have drawn attacker attention to the software in recent months. This was a familiar cloud compromise, exposed service to brute force to resource abuse, that happened to land on an AI-serving host.

A day later, the investigation surfaced separate suspicious activity from a different cloud identity, using a long-term access key from an unusual location to enumerate Bedrock models and attempt to create a new user account, a possible bid for persistence.

Darktrace found insufficient evidence to link it conclusively to the mining incident, but flagged it as possible credential misuse worth investigating on its own.

“Even without a confirmed link between the two incidents, the IAM activity remains significant. It demonstrates the importance of incorporating both [workload telemetry and control-plane telemetry] into cloud compromise investigations,” the company noted.

It echoes recent research showing how a privileged AI-connected environment in AWS can be turned against its owner, the kind of exposure attackers increasingly probe for.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.