ACCORDING to SentinelOne, AI infrastructure spanning 175,000 exposed Ollama hosts was identified, operating without the usual guardrails and monitoring. Over 293 days of research, the firms logged 7.23 million observations across 130 countries and 4,032 autonomous system numbers, with 23,000 hosts accounting for most activity. Roughly half of the identified hosts could execute code, access APIs or interact with external systems, and a small set of transient hosts drove the majority of observations.
The study found that 56% of hosts resided on fixed‑access telecom networks, with China responsible for about 30% and the US a little over 20% (Virginia accounted for 18% of US hosts). Llama AI models were the most prevalent, followed by Qwen2, Gemma2, Qwen3 and Nomic-Bert, and at least 201 hosts were running prompt templates that explicitly remove safety guardrails.
The exposed hosts could be accessed without authentication or monitoring and abused at zero marginal cost, enabling scenarios such as spam generation or disinformation campaigns, according to the report.