The discovery of active scanning for AI model infrastructure represents a fundamental shift in enterprise security risk. Unlike traditional malware that targets data at rest or in transit, these probes seek something far more valuable: the artificial intelligence systems that process, analyze, and learn from your organization's most sensitive information. (Source: Isc)

When unauthorized AI deployments like Claude, OpenAI, or Hugging Face models operate within corporate networks, they create unprecedented exposure vectors. These systems don't just access data—they ingest it, train on it, and potentially transmit learned patterns back to external servers.

Consider what happens when an unsanctioned Claude instance processes customer support tickets containing personally identifiable information, or when a rogue OpenAI deployment analyzes proprietary source code. The model doesn't simply copy files; it builds understanding from your intellectual property, creating derivative knowledge that exists outside traditional data loss prevention controls.

The scanning activity documented by DShield sensors reveals attackers specifically hunting for configuration files like /.claude/settings.json, /openai/credentials.json, and /.cache/huggingface/token. These aren't random filesystem probes—they target the authentication mechanisms and API keys that grant access to AI processing capabilities.

For regulated industries, unauthorized AI presents catastrophic compliance implications. Healthcare organizations processing patient data through ungoverned language models violate HIPAA's minimum necessary standard. Financial institutions feeding transaction data into shadow AI systems breach both PCI DSS and SOX requirements for data handling and audit trails.

The business risk compounds when considering model poisoning scenarios. If attackers compromise these AI deployments, they gain the ability to manipulate model outputs, inject biased training data, or extract proprietary information through carefully crafted prompts. Your competitive advantage—encoded in years of accumulated business intelligence—becomes accessible through model interrogation techniques.

Shadow AI infrastructure also creates supply chain vulnerabilities that traditional security tools miss. When development teams deploy Hugging Face models for code analysis or documentation generation, they establish trust relationships with external model repositories. Compromised models can inject vulnerabilities into your software development lifecycle, affecting not just your organization but every customer using your products.

The persistence of this scanning campaign—active since January 29, 2026, with peak activity on April 3rd—indicates systematic reconnaissance rather than opportunistic attacks. The single source IP (81.168.83.103) conducting these scans suggests targeted intelligence gathering, building a map of AI infrastructure across multiple organizations.

Legal departments face unprecedented liability questions when unauthorized AI processes sensitive data. If a shadow Claude deployment trained on customer communications later generates outputs containing that information, who bears responsibility? Traditional data breach notifications may not even apply when the "breach" involves model learning rather than file exfiltration.

The economic impact extends beyond immediate breach costs. Organizations discovering unauthorized AI deployments face model retraining expenses, forensic analysis to determine what data was processed, and potential intellectual property disputes if proprietary information influenced publicly accessible models. Unlike ransomware that demands payment for decryption keys, compromised AI infrastructure may have already transmitted your competitive advantages into models you can never fully audit or control.

How Unauthorized AI Models Enter and Persist in Enterprise Networks

The deployment patterns observed in these scans reveal sophisticated infiltration methods that bypass traditional security controls. Attackers aren't simply downloading these AI systems through obvious channels—they're leveraging the same infrastructure development teams use daily, making detection extraordinarily difficult.

Package managers serve as the primary vector for initial deployment. When developers install legitimate AI libraries through pip or npm, malicious packages with similar names slip through. The openclaw and clawdbot configurations found at /.openclaw/workspace/db.sqlite and /.clawdbot/moltbot.json suggest these tools arrive bundled within seemingly benign development dependencies. A developer installing what appears to be a standard machine learning library unknowingly deploys a complete AI infrastructure that begins operating immediately.

Container registries present another deployment pathway. Pre-configured Docker images containing Claude or Hugging Face models arrive labeled as development tools or testing environments. These containers spin up with all necessary dependencies, including the /.claude/settings.json and /.cache/huggingface/token files the scanners seek. Because containerized deployments are standard practice in modern development workflows, security teams rarely scrutinize them beyond basic vulnerability scanning.

The technical architecture of Hugging Face models makes them particularly attractive for unauthorized deployment. These pretrained models require minimal configuration—just a token file and basic Python environment. They consume standard computational resources that blend into normal application workloads. The /openai/credentials.json and /openai/env.json paths indicate attackers configure these systems to communicate with external APIs while appearing as legitimate business applications processing data locally.

Persistence mechanisms exploit the inherent complexity of AI workloads. These models register as system services or scheduled tasks that restart automatically. The chroma.db database file maintains vector embeddings and conversation history across reboots. When moltbot configurations embed themselves within /.clawdbot/moltbot.json, they establish persistence through configuration files that development teams assume belong to legitimate tools.

The computational patterns of AI models provide natural camouflage. Unlike traditional malware that exhibits burst activity or suspicious network patterns, these systems maintain steady resource consumption that mirrors legitimate machine learning workloads. Memory usage fluctuates predictably. CPU utilization stays within expected ranges for data processing tasks. Network traffic to model repositories and API endpoints resembles normal development activity.

Shadow AI deployments exploit trust relationships within development environments. When a Claude instance operates from a developer workstation or test server, it inherits that system's credentials and network access. The /.claude/.credentials.json file stores authentication tokens that grant access to internal resources. These models don't need to break through security barriers—they're already inside, operating with legitimate permissions.

The distributed nature of modern AI infrastructure complicates detection further. A single unauthorized deployment might span multiple systems: model files on one server, inference engines on another, vector databases elsewhere. The /.openclaw/secrets.json configuration coordinates these distributed components, making the full scope of the deployment invisible to security tools monitoring individual systems.

Detection: Finding Unauthorized AI Models Before They Cause Damage

The scanning activity from IP 81.168.83.103 reveals a targeted reconnaissance campaign that requires immediate detection capabilities. Your security team needs specific indicators to identify these probes before attackers locate exposed AI infrastructure.

Start by searching your web server logs for these exact URL patterns: /.openclaw/workspace/db.sqlite, /.cache/huggingface/token, and /.claude/settings.json. These paths represent configuration files and databases that unauthorized AI deployments create when installed. The attacker specifically targets JSON credential files like /.claude/.credentials.json and /openai/credentials.json, which often contain API keys and authentication tokens.

Deploy an ES|QL query in your SIEM to catch these probes in real-time. Search for HTTP requests containing the strings "openclaw", "claude", "huggingface", "openai", or "clawdbot" within request body content. The scanning pattern shows concentrated activity—52 queries between March 10 and April 13, 2026, with April 3rd receiving the heaviest probe volume. This burst pattern helps distinguish targeted AI reconnaissance from general vulnerability scanning.

Monitor your network for connections to AS 20860, the autonomous system hosting the scanning infrastructure. While only one IP address currently conducts these scans, the persistence since January 29, 2026 suggests this reconnaissance precedes a larger campaign. Set up alerts for any internal systems attempting to retrieve files named moltbot.json or chroma.db—these indicate active model deployment attempts.

Your firewall logs should flag repeated 404 errors for paths containing ".openclaw", ".clawdbot", or model-specific directories. These failed requests indicate the scanner hasn't found exposed models yet but continues searching. The attacker probes various web-associated ports beyond standard HTTP/HTTPS, suggesting they expect AI services running on non-standard configurations.

Implement filesystem monitoring for the creation of SQLite databases in unexpected locations, particularly files named db.sqlite within hidden directories. These databases store model weights, training data, and conversation histories that unauthorized AI systems generate during operation. The presence of secrets.json or env.json files outside approved development directories signals potential compromise.

Configure your intrusion detection system to alert on outbound connections attempting to download large model files from Hugging Face repositories or OpenAI endpoints. These downloads often exceed several gigabytes and occur outside normal business hours when network monitoring may be reduced. Track Python processes spawning with arguments containing "transformers", "torch", or "tensorflow" alongside network connections to external IPs.

The scanning methodology reveals attackers understand how AI models store credentials and workspace data. They're not randomly probing—they know exactly which configuration files contain the keys to your AI infrastructure. This targeted approach means traditional signature-based detection won't catch sophisticated variants that modify file paths while maintaining the same extraction objectives.

Immediate Response and Containment Priorities

When your systems are actively being probed for unauthorized AI models, every hour matters. The scanning patterns from 81.168.83.103 indicate reconnaissance that precedes exploitation—meaning you have a narrow window to prevent data exposure through compromised AI infrastructure.

Within the First 4 Hours: Isolate and Inventory

Begin by running filesystem searches across all servers for the specific paths the attacker seeks. Use PowerShell on Windows systems: Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -match "moltbot|openclaw|claude"}. On Linux systems, execute find / -type f \( -name "*moltbot.json" -o -name "chroma.db" -o -name "*huggingface*" \) 2>/dev/null.

Simultaneously, query your firewall logs for any successful connections to AS 20860 infrastructure. These connections indicate potential data exfiltration or command-and-control communication from compromised AI models already operating in your environment.

Immediately revoke all API keys stored in JSON configuration files. The attacker specifically targets /openai/env.json and similar credential stores. Generate new keys through your AI service providers' dashboards and update only verified, legitimate deployments. Leave compromised systems without valid credentials to prevent further data processing.

Hours 4-24: Assess Data Exposure

Deploy memory analysis tools like Volatility or WinPmem to capture running processes on systems where AI models were discovered. Look for Python processes consuming unusual amounts of RAM—these often indicate active model inference or training operations. Extract process command lines to identify which datasets these models accessed.

Review database query logs from SQLite files found at /.openclaw/workspace/db.sqlite paths. These databases contain model training history and potentially cached sensitive information. Use sqlite3 [database_file] ".dump" | grep -E "(password|token|key|secret)" to identify exposed credentials within model storage.

If your organization processes healthcare, financial, or personally identifiable information, immediately engage your legal team. Unauthorized AI models that trained on regulated data trigger breach notification requirements in multiple jurisdictions, even without confirmed exfiltration.

Hours 24-72: Eradication and Hardening

Remove identified AI deployments using package managers that installed them. For Python environments: pip uninstall openclaw clawdbot -y && pip freeze | grep -E "(claude|hugging)" | xargs pip uninstall -y. Don't simply delete files—proper uninstallation prevents orphaned dependencies from reactivating.

Block future unauthorized deployments through application control policies. Configure AppLocker or similar tools to prevent execution from user-writable directories where AI models typically deploy. Specifically block Python interpreters from running in %TEMP%, /tmp, and user home directories unless explicitly whitelisted.

Implement egress filtering rules blocking connections to known AI model repositories. Your firewall should deny outbound HTTPS to Hugging Face CDN endpoints, unofficial Claude mirrors, and the specific infrastructure at 81.168.83.103. Monitor attempts to reach these destinations as indicators of persistent compromise.

Deploy file integrity monitoring on paths where legitimate AI tools operate. When approved models must run, baseline their configuration files and alert on any modifications to settings.json or credentials.json files that could indicate tampering.

Governance and Long-Term Prevention: AI Supply Chain Security

The probing activity targeting AI infrastructure reveals a fundamental governance gap that extends beyond immediate security concerns. Organizations deploying AI capabilities through unofficial channels create shadow infrastructure that operates outside established security boundaries, compliance frameworks, and audit mechanisms.

Consider the implications when developers independently deploy models through paths like /.openclaw/workspace/ or store credentials in /openai/env.json. These deployments bypass procurement processes, vendor risk assessments, and data classification requirements that official enterprise AI platforms undergo. A sanctioned ChatGPT Enterprise subscription includes contractual data protection guarantees, usage monitoring, and compliance certifications. An unauthorized local deployment offers none of these safeguards.

The reconnaissance patterns observed since March 10, 2026, specifically target configuration files and credential stores that unofficial deployments create. These files—secrets.json, credentials.json, token—represent unmanaged API keys and authentication tokens that never enter your organization's privileged access management systems. Without centralized key rotation policies, these credentials persist indefinitely, creating permanent backdoors into AI services that process your data.

Establishing an AI Model Registry transforms shadow deployments into managed assets. This registry functions as your single source of truth for approved AI capabilities, documenting which models serve legitimate business purposes, their data access requirements, and their integration points. When the scanner searched for /.cache/huggingface/token, it sought exactly the type of unregistered model deployment that a proper registry prevents.

Code signing for AI artifacts provides cryptographic assurance that deployed models match approved versions. The chroma.db and db.sqlite files targeted in these scans represent vector databases that store processed organizational data. Without signed artifacts, you cannot verify whether these databases contain legitimate embeddings or exfiltrated information prepared for extraction.

Supply chain attestation becomes critical when AI tools arrive through development pipelines. The moltbot.json configuration file suggests deployment through package management systems where malicious libraries masquerade as legitimate AI tools. Requiring signed software bills of materials (SBOMs) for all AI-related dependencies ensures you know exactly what enters your environment and from which sources.

API key governance specifically for AI services requires distinct policies from traditional secrets management. AI models consume tokens differently than conventional APIs—they maintain persistent connections, process continuous data streams, and often cache authentication locally. The /.claude/.credentials.json path indicates local storage of long-lived tokens that standard rotation schedules may not address. Implement AI-specific key lifecycles: 30-day maximum validity for development keys, 7-day rotation for production inference endpoints, and immediate revocation upon model decommissioning.

The distinction between approved SaaS consumption and unauthorized local deployment determines your actual risk exposure. When employees access Claude through official web interfaces, usage logs flow to your CASB, data loss prevention policies apply, and session management remains under IT control. When they run local instances storing credentials at /.claude/settings.json, none of these controls exist. Your governance framework must explicitly differentiate these deployment models, establishing clear policies for when local AI execution is permitted versus when cloud-based consumption is mandatory.

This governance structure prevents the very reconnaissance succeeding today. When every AI deployment requires registry approval, signed artifacts, and managed credentials, attackers scanning for /.openclaw/secrets.json find nothing because such unmanaged deployments cannot exist in your environment.