🟠 High  |  Source: The Hacker News


A newly discovered Go-based botnet called NadMesh is actively scanning the internet for exposed AI services — including ComfyUI, Ollama, n8n, and Gradio — to harvest AWS keys and Kubernetes tokens. The botnet’s own operator dashboard reportedly counts over 3,800 unique AWS keys already compromised. This targets a common blind spot: AI tooling stood up quickly by development and ML teams without adequate network controls.

Security Architect’s Take: Audit your organisation’s exposure of AI service endpoints via Shodan or similar tooling immediately, and enforce network-level controls (VPC-only access, authenticated reverse proxies) on any AI workbench or workflow tool. Rotate any AWS credentials and Kubernetes service account tokens associated with environments running ComfyUI, Ollama, n8n, Open WebUI, Langflow, or Gradio as a precautionary measure.

Original advisory: New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens