Select a theme from the list.
Insights

From our experts

Latest
Nichirei Cyberattack Sends Digital Disruption Into the Cold ChainNadMesh Botnet Raids Exposed AI Servers for Cloud CredentialsACR Stealer Turns Fake Fixes Into Enterprise Data TheftMicrosoft Warns That Overprivileged AI Agents Are Becoming a New Identity RiskDigiCert Intrusion Reveals How Stolen Code-Signing Trust Can Shield MalwareAbbott Investigates Two Cyber Incidents as Extortion Claims Target Diagnostics OperationsSophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemShark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyTrusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaNichirei Cyberattack Sends Digital Disruption Into the Cold ChainNadMesh Botnet Raids Exposed AI Servers for Cloud CredentialsACR Stealer Turns Fake Fixes Into Enterprise Data TheftMicrosoft Warns That Overprivileged AI Agents Are Becoming a New Identity RiskDigiCert Intrusion Reveals How Stolen Code-Signing Trust Can Shield MalwareAbbott Investigates Two Cyber Incidents as Extortion Claims Target Diagnostics OperationsSophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemShark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyTrusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security Agenda
Security Insight

NadMesh Botnet Raids Exposed AI Servers for Cloud Credentials

NadMesh Botnet Raids Exposed AI Servers for Cloud Credentials
Photo by Tima Miroshnichenko on Pexels

The newly identified NadMesh botnet is scanning publicly reachable AI applications and infrastructure services for cloud credentials, Kubernetes tokens, and configuration files. Its targets include ComfyUI, Ollama, n8n, Open WebUI, Langflow, Gradio, Docker, Jenkins, and Redis deployments that are exposed without sufficient authentication. ([thehackernews.com](https://thehackernews.com/2026/07/new-nadmesh-botnet-hunts-exposed-ai.html))

A newly documented Go-based botnet called NadMesh is showing why rapidly deployed artificial intelligence infrastructure has become an attractive target. Rather than concentrating only on processing power, the operation searches exposed services for credentials that can unlock cloud accounts, container registries, Kubernetes clusters, and additional business systems.

AI services become an entry point

NadMesh uses automated scanning to identify internet-accessible services associated with AI development and workflow automation. Reported targets include ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio, alongside conventional infrastructure such as Docker APIs, Jenkins consoles, Redis servers, Telnet, and SSH.

The malware searches compromised hosts for AWS keys stored in environment variables, Kubernetes service account tokens, Docker credentials, .env files, SSH access, and cloud configuration data. This means the initial server may be less valuable than the systems and services its credentials can reach.

An operator-controlled dashboard reportedly claimed possession of thousands of unique AWS keys, although researchers noted inconsistencies in several of its counters. These figures should therefore be treated as attacker claims rather than verified victim totals. Even so, observed scanning and deployment activity indicates that the botnet is operational and actively seeking poorly protected infrastructure.

How organizations can reduce exposure

  • Remove AI development interfaces and administrative APIs from the public internet.
  • Require strong authentication for Docker, Jenkins, Redis, workflow tools, and Model Context Protocol services.
  • Store cloud secrets in a managed vault instead of environment files or local configuration directories.
  • Use short-lived credentials and narrowly scoped Kubernetes service accounts.
  • Review SSH authorized keys, cron jobs, temporary directories, and unusual outbound connections.

Organizations running affected classes of services should pay particular attention to internet exposure on ports commonly associated with ComfyUI, Ollama, Gradio, and n8n. If compromise is suspected, administrators should isolate the host and remove malicious persistence before issuing replacement credentials. Otherwise, newly generated secrets could immediately be stolen again.

Expert view

I believe NadMesh represents a broader change in attacker economics. AI servers often combine powerful hardware, experimental software, administrative tools, and cloud credentials on the same machine. That combination creates an unusually valuable target.

In my view, companies should place AI development systems under the same security governance as production cloud infrastructure. Fast experimentation cannot justify public administrative interfaces, permanent access keys, or unauthenticated tools capable of executing commands. The central lesson is straightforward: an AI server is not merely a research workstation when it can authenticate to the rest of the enterprise. ([thehackernews.com](https://thehackernews.com/2026/07/new-nadmesh-botnet-hunts-exposed-ai.html))

Talk to our team →

Latest

Nichirei Cyberattack Sends Digital Disruption Into the Cold ChainJul 19, 2026NadMesh Botnet Raids Exposed AI Servers for Cloud CredentialsJul 19, 2026ACR Stealer Turns Fake Fixes Into Enterprise Data TheftJul 19, 2026Microsoft Warns That Overprivileged AI Agents Are Becoming a New Identity RiskJul 18, 2026DigiCert Intrusion Reveals How Stolen Code-Signing Trust Can Shield MalwareJul 18, 2026Abbott Investigates Two Cyber Incidents as Extortion Claims Target Diagnostics OperationsJul 18, 2026

Most read

1Global CMS Exploitation Wave Plants Webshells on Business Websites2Microsoft Prepares Windows Customers for a Faster Era of AI-Driven Patching3Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations4Laser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet Cards5Sophos Fusion Recasts the Security Platform as an AI-Driven Defense System6Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe Goal