Security researchers have identified a new botnet, tracked as NadMesh, that is actively scanning the internet for exposed AI infrastructure and harvesting cloud credentials from misconfigured deployments. The botnet, written in Go, surfaced in early July and appears purpose built to target the wave of AI tooling that organizations have rushed to deploy without adequate network controls.

According to researchers monitoring the campaign, NadMesh relies on a Shodan-based harvester to keep its scanning queue populated with internet-facing instances of popular AI and workflow platforms, including ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. These tools, commonly used for image generation, local large language model hosting, and automation pipelines, are frequently stood up quickly for testing or internal use and left exposed to the public internet without firewall restrictions or authentication in place.

The operator’s own dashboard, observed as part of the intelligence gathering on this campaign, reportedly claims a haul of 3,811 unique AWS keys collected from compromised or exposed systems. The presence of Kubernetes tokens among the harvested material suggests the botnet is not limited to simple credential scraping but is also targeting orchestration environments where AI workloads are commonly deployed at scale.

Why exposed AI tools are a growing target

The tools in NadMesh’s crosshairs share a common pattern: they are developer-friendly, quick to deploy, and often lack security hardening out of the box. Teams experimenting with local model runners or building automation workflows frequently prioritize speed over exposure management, leaving management interfaces or API endpoints reachable from the open internet.

Once accessible, these services can expose environment variables, configuration files, or embedded credentials, including cloud access keys and service account tokens, that attackers can harvest and reuse for lateral movement or further compromise.

Recommendations

  • Audit all internet-facing AI and workflow tooling, including ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio deployments.
  • Place AI services behind authentication, VPNs, or internal network segmentation rather than exposing them directly.
  • Rotate any AWS keys or Kubernetes tokens that may have been embedded in configuration files on exposed hosts.
  • Monitor for unusual outbound scanning behavior or unauthorized API calls originating from AI infrastructure.

Organizations running any of the affected platforms should treat internet exposure as an active risk and prioritize remediation given the scale of credentials NadMesh’s operator claims to have already collected.