NadMesh Is a Botnet Built to Hunt Your AI Tools. 20-Plus Exploits, 3,811 Stolen AWS Keys, and a Scan Queue Full of the Langflow and Ollama Boxes You Stood Up Fast and Firewalled Late.
- Patrick Duggan
- 26 minutes ago
- 3 min read
For most of the past two years, attacks on the AI stack have been one-off events: a poisoned model here, a prompt injection there, a single compromised agent. NadMesh is the moment that stopped being artisanal. It is a Go-written botnet, disclosed in mid-July, that carries more than twenty remote code execution exploits and points every one of them at the same target class: the AI and MCP services that engineering teams spin up in an afternoon and get around to securing next quarter.
What NadMesh is actually doing
The design is industrial. NadMesh runs a Shodan harvester that keeps a scan queue permanently stocked with the internet's exposed AI infrastructure, and the shopping list is specific: ComfyUI and Gradio for image generation, Ollama and Open WebUI for local model running, n8n for workflow automation, and Langflow for agent building. It fires its exploit arsenal at whatever it finds, lands code execution, steals the credentials on the box, and folds the victim into a mesh of attacker-controlled VPS nodes that coordinate the next wave. The operator's own dashboard, which researchers observed, claims 3,811 unique AWS keys already harvested, plus Kubernetes tokens and execution rights. This runs like a credential-and-compute harvesting operation with a clear business model, built to keep evolving for the long haul rather than spread and burn out like an ordinary worm.
Why this is the attack surface we keep pointing at
We have been saying since March that the AI tooling layer is the soft underbelly, and Langflow specifically has been our recurring example. It is the drag-and-drop builder for LangChain agents, it has hit CISA's exploited-vulnerabilities list four separate times, and JADEPUFFER, the first ransomware an AI ran by itself, broke in through an exposed Langflow instance three weeks ago. NadMesh is the same lesson written at scale. The reason these tools are dangerous is the reason they are popular: a developer can stand up an Ollama server or a Langflow canvas in ten minutes, wire it into cloud credentials so it can actually do useful work, and never think about the fact that it is now a code-execution endpoint holding the keys to the account. The tool goes up fast. The firewall rule goes up late, or never. NadMesh exists to find the gap between those two moments.
The credential angle is the whole point
Notice what NadMesh takes. It goes after AWS keys and Kubernetes tokens, the cloud credentials, while the model weights and training data the AI-security conversation usually obsesses over sit untouched. It went hunting in the AI stack because that is where teams are carelessly wiring long-lived cloud credentials into internet-facing boxes right now, and once it has the keys, the AI service was just the door. The real prize is your cloud account and your compute, to be resold or mined or used to stage the next attack. The AI tool is where the credentials happen to be sitting exposed this year.
What to do about it
Get your AI services off the open internet. ComfyUI, Ollama, Open WebUI, n8n, Langflow, and Gradio were built for convenience and ship with weak-to-nonexistent authentication by default, so a Langflow canvas or an Ollama endpoint reachable from the public internet should be treated as already compromised until you have put it behind a VPN, an SSO proxy, or an allowlist. Rotate any cloud credential that a currently-exposed AI box has ever held, because if NadMesh reached it, the keys are gone. Scope the credentials you do wire into these tools down to the minimum, so a stolen key opens a closet instead of the building. And search your egress logs and cloud audit trails for the API calls a fresh set of stolen keys makes: enumeration, new access keys, spun-up compute in regions you do not use.
We cap our certainty at 95 percent. Researchers have documented NadMesh's exploit set, its targets, and the operator's claimed haul. The 3,811-keys figure is the attacker's own dashboard boast and should be read as a ceiling rather than an audited count. The direction, though, is not in doubt: the AI tooling layer has graduated from a place attacks happen to a place attacks are farmed, and the harvest is your cloud credentials.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
