Internet-facing AI systems are becoming a new target for opportunistic attackers.
Recent scanning activity shows that threat actors are actively searching for Model Context Protocol, or MCP, servers, AI assistant configuration files, and exposed local language-model services.
The activity was observed across low-traffic websites that did not appear to host AI infrastructure.
That detail matters because it suggests broad reconnaissance rather than a targeted intrusion against a specific organization or developer.
Analysts at the Internet Storm Center identified the activity while reviewing two weeks of Apache and ModSecurity logs from a small web host.
The researchers found roughly 200 requests tied to AI-agent reconnaissance, with MCP handshake probes originating from 49 separate source IP addresses.
Internet Storm Center said in a report shared with Cyber Security News (CSN) The scans reflect a growing security problem around AI deployments.
Developers may expose an MCP service, leave assistant settings in a public web directory, or make a local model reachable from the internet without realizing that attackers are already looking for each of these mistakes.
Internet-Wide Scans Target MCP Servers, Claude Credentials
The most notable part of the activity was the use of valid MCP initialization requests rather than simple path checks.
Instead of asking whether a web address exists and moving on, the scanners sent correctly formed JSON-RPC messages designed to begin an MCP conversation.
That approach allows an attacker to determine whether a reachable service behaves like an MCP server.
If a server responds, the next stage could involve identifying available tools, connected data sources, and actions that the AI agent has permission to perform.
MCP servers can give AI agents access to databases, internal APIs, file systems, ticketing tools, and other business resources.
When one is exposed without authentication, it can effectively provide outsiders with a machine-readable map of services and data the agent can reach. The spread of the probes also points to a larger campaign.
The requests came from many different IP addresses, making the activity look less like academic testing and more like distributed internet-wide scanning intended to find vulnerable deployments at scale.
The organizations should review access logs for suspicious MCP traffic. Systems that do not use MCP should treat such requests as useful reconnaissance signals and block them where appropriate.
Organizations that do operate MCP servers should confirm that they require strong authentication and cannot be reached directly from the public internet unless that exposure is strictly necessary.
Limiting network access also reduces the chance that a scanner can discover the service in the first place.
Credentials and Models at Risk
The same scanning activity searched for files linked to AI coding assistants, including settings and credential files that developers may accidentally place inside a deployed web directory. These files can contain connection details, service settings, and potentially valuable secrets.
.webp)
The use of lightweight existence checks against credential-related files suggests the operators are optimizing their scans for a large number of targets. Rather than downloading every possible file, they first check whether a potentially useful resource is present.
Researchers also saw repeated attempts to locate unauthenticated model-serving interfaces. A publicly reachable model endpoint may give an attacker free access to computing resources, reveal installed models, or become a foothold for further activity inside the environment.
The scans were accompanied by attempts to abuse server-side request forgery, or SSRF, against cloud metadata services. This technique can be especially relevant to AI tools because agents and helper services often include features that retrieve content from user-supplied web addresses.
Defenders should check public-facing systems from outside their networks, ensure AI-related configuration files are not served by web servers, and review URL-fetching functions for protections against internal and cloud-metadata destinations.
Cloud environments should also enforce available metadata-service protections, including GCP header enforcement and AWS IMDSv2.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| MCP endpoint | POST /mcp | MCP JSON-RPC initialization probe |
| MCP transport | GET /sse | Server-Sent Events transport probe |
| AI assistant config file | .claudemcp.json | Claude MCP client configuration file |
| AI assistant config file | .cursormcp.json | Cursor MCP client configuration file |
| AI assistant config file | .cursormcpconfig.json | Cursor MCP configuration file |
| AI assistant config file | .vscodemcp.json | Visual Studio Code MCP configuration file |
| MCP config file | .mcpconfig.json | Project or editor MCP configuration file |
| AI assistant settings file | .claudesettings.local.json | Claude local settings file |
| AI credential file | .claude.credentials.json | Claude credential file |
| AI credential file | .configclaude.credentials.json | Claude credential-related file probe |
| LLM endpoint | GET /v1/models | OpenAI-compatible model-listing endpoint |
| LLM endpoint | GET /api/tags | Ollama model-listing endpoint |
| SSRF probe | fetch?url=http://metadata.google.internal/...token | Cloud metadata token theft attempt |
| SSRF probe | fetch?uri=http://metadata.google.internal/...token | Cloud metadata token theft attempt |
| SSRF probe | fetch?path=http://metadata.google.internal/...token | Cloud metadata token theft attempt |
| SSRF probe | fetch?dest=http://metadata.google.internal/...token | Cloud metadata token theft attempt |
| Cloud metadata host | metadata.google.internal | Google Cloud metadata service target |
| Cloud metadata IP | 169.254.169.254 | Link-local cloud metadata service address |
| Kubernetes token path | var/run/secrets/.../serviceaccount/token | Kubernetes service-account token target |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

