New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens
New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens — [https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm0yasBDyeN2fn
What’s new: A new Go-based botnet named NadMesh has emerged, targeting exposed AI services to harvest cloud keys and Kubernetes tokens. The botnet has reportedly claimed 3,811 unique AWS keys and is actively scanning for services like ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. The botnet’s operations include credential theft from environment variables and configuration files, with a focus on exploiting vulnerabilities in services such as Docker and Jenkins.
Who’s affected
Organizations using exposed AI services, particularly those running ComfyUI, Ollama, n8n, Gradio, and Docker APIs without proper authentication, are at risk. The botnet exploits weak configurations and unsecured services to gain access to sensitive cloud credentials and Kubernetes privileges.
What to do
- Secure all exposed services by implementing authentication and removing them from public access.
- Review and restrict access to Docker APIs, Jenkins consoles, and Redis instances.
- Check for known vulnerabilities, including CVE-2026-39987 and CVE-2026-41176, and apply patches where necessary.
- Inspect for unauthorized access in directories such as ~/.ssh/authorized_keys and /etc/cron.d/.
- If compromised, isolate affected hosts and revoke all credentials immediately before replacing them.



