Hackers turned OpenWebUI AI servers into crypto mining zombies| Cybernews

Popular open-source AI servers were secretly hijacked for more than a year and turned into a silent army of crypto mining machines.

Cybernews researchers tracked a malicious campaign that targets OpenWebUI, a widely used interface that lets people interact with large language models (LLMs) such as ChatGPT or locally hosted models like Ollama, through a web dashboard.

With over 122,000 GitHub stars, this tool has become a go-to for everyone from weekend hobbyists to enterprise teams.

Developers are obsessed with OpenWebUI because it handles the heavy lifting. It gives you instant chat history, document uploads for retrieval-augmented generation (RAG), and the freedom to run custom Python scripts.

However, the very features that make it so powerful are also its biggest blind spots when the tool runs on infected servers.

The malware campaign is still ongoing

Researchers found that thousands of OpenWebUI instances were publicly accessible on the internet, some with weak security settings or authentication disabled.

This sounds like a classic data leak, with a lot of sensitive data exposed. Well, not exactly. Instead of the usual databases containing sensitive user data, our team stumbled upon something much weirder.

The researchers found a malware operation that’s been hijacking AI servers to mine cryptocurrency and steal sensitive credentials. The detected infections started by the end of 2024 and are still ongoing.

The team has already tracked down 14 different versions of the malware, all from the same source. Also, it is highly likely that there are more, still undiscovered versions.

This suggests that the attacker behind the campaign is constantly experimenting and "patching" their code to make malware more effective.

Even more troublesome is that many of the affected systems remained infected for months simply because no one was monitoring to detect the intrusion.

OpenWebUI instances unprotected

The investigation started on January 7th, 2026, after researchers read a report about misconfigured Ollama AI servers being exposed online.

Curious whether the same issue existed elsewhere, they decided to scan the internet for other AI chat interfaces that might be publicly accessible.

Using IoT search engines, the team found over 15,000 OpenWebUI instances connected to the public web. About 12,000 responded to requests, and nearly all exposed a configuration endpoint called api/config without requiring authentication.

Most of the affected instances were hosted in the US, China, Germany, France, and Singapore – locations known as data center hubs.

The exposed configuration endpoint is associated with CVE-2025-63391 vulnerability, which exposes technical information about the server, including the software version and enabled features.

While a configuration leak that spits out version numbers and active features might not sound like a system-ender, it serves as a perfect digital scout for hackers, making it easy to index thousands of servers to highlight exactly which are outdated or misconfigured.

When our researchers put this to the test by indexing the exposed endpoints, they were able to identify servers running outdated versions of the software or operating with insecure configurations.

They found 98 instances where authentication was turned off entirely and over 2,000 servers that allowed anyone to register an account. Depending on the configuration, this could permit users to gain access without additional approval.

The research team determined that the CVE-2025-63391 vulnerability persists in newer versions of the OpenWebUI software, allowing attackers to continue indexing exposed servers and searching for misconfigured systems.

Additionally, the findings point to broader systemic issues beyond simple misconfiguration. Of the 98 servers identified as lacking authentication, nearly half (45) showed signs of compromise. A further 33 were affected by configuration conflicts or system errors, leaving just 11 operating without any apparent issues.

OpenWebUI is a project owned and operated by OpenWebUI Inc, registered in Delaware, US. Our researchers reported the vulnerability to the project, but the report was closed without comment. Our journalists contacted the creators once more before publication, but received no response.

The full technical analysis of malware exploiting vulnerable OpenWebUI instances is provided by Cybernews research team in a separate report.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Cybernews researchers discovered hidden malware

Many of the exposed servers belonged to individual developers experimenting with AI tools, and most contained little or no user data. However, our investigators noticed something odd.

Even on servers with no chat history, the OpenWebUI “Tools” feature often contained Python scripts with vague or random names. These scripts looked like generic code examples demonstrating how to extend an AI model.

But buried deep within the files were obfuscated instructions. When researchers decoded the scripts, the real purpose became obvious – the scripts were dedicated to infecting servers with malware.

The malicious scripts used a simple but effective obfuscation technique. The code repeatedly reversed byte sequences, decoded Base64 data, and decompressed it with Zlib until the real payload appeared.

AI servers were hijacked and converted into crypto mining tools

Once the malware is unpacked, it gets straight to work, installing a double-threat combo of cryptocurrency miners and infostealers to scavenge for system credentials.

This type of attack makes particular sense in the context of AI infrastructure. The same powerful hardware built to run complex AI models is, unfortunately, ideal for mining digital coins for cybercriminals.

To keep tabs on the operation, malware uses Discord webhooks to ping the attacker every time a new server is compromised. The scripts also contained cryptocurrency wallet addresses used to collect mining profits.

Earlier variants downloaded a malicious Java archive file that acted as a loader for additional infostealer malware. Later versions bundled the data-stealing functionality directly into the Python scripts themselves.

Another security company, Sysdig, previously caught a glimpse of parts of the same malware campaign after its client was infected. Their analysis suggested that large parts of the malware code may have been generated with AI.

This would explain the "Frankenstein" nature of the malware code, with inconsistent coding style and varying complexity levels across different components.

How can you protect your OpenWebUI ecosystem?

Our researchers recommend taking the following steps to ensure that your OpenWebUI ecosystem is safe:

Ensure that authentication features are enabled and that new signups require administrator approvals.
Ensure proper instance isolation by utilizing IP whitelisting and set up a proxy that requires additional authentication for the OpenWebUI API until the issue is addressed by OpenWebUI.
Set up monitoring pipelines to detect unauthorized “Tools” uploads and unauthorized models running on your instance.