NadMesh botnet raids exposed AI tools for 3,811 AWS keys
A Go botnet called NadMesh, active since early July, feeds a Shodan queue into ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. Operator dashboard claims 3,811 AWS keys.
A Go-language botnet called NadMesh turned up in early July running exactly the internet scan you’d write if you were an attacker with a rented VPS and a working knowledge of the current AI-tooling shelf. Per The Hacker News’ writeup, a Shodan harvester feeds the scan queue and the queue targets six things: ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. Image generators, local model runners, and workflow builders — the “spin it up in fifteen minutes to see if the demo works” tier of the stack. The operator’s own dashboard claims 3,811 unique AWS keys collected.
That last number is the story. Three thousand eight hundred and eleven AWS access keys pulled off machines whose owners, in most cases, thought they’d spun up a private research toy. Kubernetes service-account tokens on the same haul.
What NadMesh is actually doing
None of the targeted services are new attack surfaces. ComfyUI, Ollama, Open WebUI, Gradio — these ship dev-friendly defaults (bind to 0.0.0.0, no auth in the base config, credentials read from the surrounding environment) because that is what makes the getting-started page work. n8n and Langflow are workflow builders whose whole selling proposition is running arbitrary steps against your cloud accounts; they hold the AWS keys, the Kubernetes tokens, and the SaaS credentials by design.
Shodan indexes all of them by fingerprint. A scanner that hits Shodan on a schedule, filters for “response body contains this string,” and pipes the hits into a small library of per-tool config-readers gets you exactly the tenant-level credentials NadMesh is showing on its dashboard. It is not a vulnerability chain. It is a directory listing.
The Langflow prong is worth flagging on its own. This is the second wave of Langflow-adjacent trouble in a month — CISA added the Langflow IDOR CVE-2026-55255 to KEV on July 7, and Sysdig documented the JadePuffer group ransoming AI-agent stacks through Langflow two weeks before that. NadMesh doesn’t need a CVE to work — the exposed instance is the exposure. If it’s reachable from the internet with the defaults on, that’s the finding.
What to actually do
Priority order, do them today:
- Take exposed AI dev tools off the internet. Not “add basic auth.” Off the internet. Bind ComfyUI, Ollama, Open WebUI, and Gradio to a private interface or put them behind a VPN or SSO reverse proxy. Anything a Shodan fingerprint can identify from the outside is already being scanned by something. NadMesh is one operator; there are others.
- Rotate every AWS key and Kubernetes token that the exposed service could read. Environment variables,
~/.aws/credentials, mounted service-account tokens, IAM role sessions cached on the box. If a workflow builder had access to a credential last week, treat it as compromised this week. Rapid7’s AWS IAM persistence hunt runbook from July 15 is the shape of the follow-through: don’t stop at the rotation — go look for the new IAM user, the CreateAccessKey call, the federated-role handoff. - Audit n8n and Langflow deployments specifically. Not for CVEs, for exposure. Public URL, no auth, no IP allowlist — that trio is the win condition for this operator. If you patched n8n’s CVE-2026-59208 cross-issuer token exchange last week and the instance is still reachable from the internet, the patch closed one door and NadMesh is walking through the front one.
- Check egress logs for the last thirty days. Look for outbound calls to Shodan-adjacent scanner ranges hitting your AI-tool ports, and for any of your own instances making STS
GetCallerIdentitycalls to AWS from IPs you don’t recognize. If a key walked, it will announce itself when the operator tries it.
Priority call, no ambiguity: step 1 is not optional. Steps 2–4 assume step 1 is already done. A rotated key that goes back into an exposed n8n instance gets scraped again inside a day.
The honest timeline
The paste-a-command-and-press-Enter class of failure that carried ACR Stealer through enterprise fleets last week has a matching cloud-side version, and NadMesh is it: a class of failure that patching does not fix, because there is no bug to patch. The default is the vulnerability. The scanner running against it doesn’t need to be sophisticated. It needs to be running, and it is.
Nothing about this is going to slow down. The tooling shelf keeps growing — a new local model runner ships every couple of weeks and the getting-started defaults follow the same pattern each time — and Shodan indexes them within days. Assume the next NadMesh is being written this month. Firewall accordingly.
Found this useful? Share it.


