HackMyIP
← Back to News
2026-07-17 The Hacker News

NadMesh Botnet Pivots to Cloud Credential Theft via Exposed AI Services

MalwareAI SecurityCloud Security

Researchers at QiAnXin's XLab have documented a new Go-language botnet called NadMesh that emerged in early July 2026 and is actively scanning the public internet for exposed AI infrastructure. The malware harvests targets through a Shodan-driven queue focused on self-hosted AI tooling—ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio—the kind of image generators, local model runners, and workflow builders that teams deploy quickly and secure slowly. The operator's own dashboard, captured by XLab on July 10, claims 3,811 unique AWS keys and advertises an underlying intel feed of 47 credential hauls and 41 model inventories across its most recent 100 records, with several inventories tagged :cloud and referencing DeepSeek, GLM, and Kimi identifiers.

What NadMesh ships back to its controller is not host data but identity: AWS keys pulled from environment variables, Kubernetes service account tokens, ~/.aws/config, .env files, and ~/.docker/config.json. XLab put it bluntly, stating the operator is after "not the host itself, but the cloud credentials, Kubernetes cluster privileges" reachable from it, alongside model access and callable MCP tools. The Model Context Protocol sits at the top of the controller's exploitation priority list, above Kubernetes, Docker API, and Redis, with the vector recorded as a JSON-RPC tools/call to execute_command. No CVE is attached to that path—the MCP specification placed authentication outside the core protocol from the start, and the authorization flow added in March 2025 remains explicitly optional, leaving plenty of deployments unprotected. Defenders can use a port scanner to identify which AI-adjacent services are reachable from the public internet, and run any exposed credentials through a password checker to assess reuse and strength.

XLab's observed exploit traffic tells a different story than the operator's dashboard, which contains internal contradictions: a counter showing 17,700 total deploys sits beside a funnel claiming 95,700 hits in the past 24 hours, while bot-count tiles read 16 and then 12 on adjacent rows. XLab's external sensors show distinct source IPs pushing NadMesh traffic near zero through late June, then climbing vertically in the first week of July to roughly 139 per day. In XLab's charted attack mix, docker_containers_api_rce accounts for 30.31% of observed traffic, jenkins_scripttext_rce for 22.28%, Telnet weak passwords 10.36%, and Redis exploitation 8.29%; mcp_cmd_execute does appear but sits at just 0.78%, buried in the unlabeled tail. For organizations that have already been exposed, a email breach checker can help determine whether associated credentials have surfaced in known dumps before rotating them across cloud and container environments.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is a data breach? →Credential stuffing attacks →How to check for an email breach →