News

NadMesh Botnet Targets Exposed AI Services and Cloud Credentials

A new botnet, NadMesh, is actively targeting exposed AI services, harvesting cloud credentials, and exploiting vulnerabilities in popular tools.

The NadMesh botnet, discovered in July 2026, is specifically designed to exploit exposed AI services and steal cloud credentials. Its operators have already compromised thousands of AWS keys and are actively scanning for additional targets. The malware prioritizes MCP services and uses advanced persistence techniques to evade detection.

NadMesh Botnet Emerges as a Threat to AI Services and Cloud Security

A newly discovered botnet, named NadMesh, has been actively targeting exposed AI services since early July 2026. According to a report published by QiAnXin's XLab, the botnet has already compromised 3,811 unique AWS keys and is scanning for additional vulnerabilities in popular AI tools such as ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio.

Key Targets and Exploitation Tactics

NadMesh is designed to harvest cloud credentials, Kubernetes cluster privileges, and model access from exposed AI services. The botnet's primary targets include:

  • AI Tools: ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio.
  • Cloud Credentials: AWS keys, k8s service account tokens, and contents of configuration files like ~/.aws/config and ~/.docker/config.json.
  • Exploitable Services: Docker API, Jenkins consoles, Redis, Telnet, and SSH with weak passwords.

The botnet uses a scanning mechanism that prioritizes subnets and IPs that have previously produced successful hits. It also employs advanced persistence techniques, including Garble obfuscation, UPX packing, and random padding, to evade detection and ensure its agents remain active.

MCP Exploitation and Cloud Risks

One of the botnet's primary exploitation vectors is the MCP (Microcontroller Communication Protocol), which is often left unauthenticated in many deployments. NadMesh prioritizes MCP services for exploitation, using JSON-RPC tools to execute commands on compromised systems. The botnet's operators are particularly interested in cloud credentials and access to AI models, as evidenced by the intel feed, which shows 47 credential hauls and 41 model inventories in its last 100 records.

Observed Exploit Traffic

XLab's observations reveal that the majority of NadMesh's exploit traffic targets Docker sockets and Jenkins consoles. However, the botnet also exploits vulnerabilities such as:

  • Docker Containers API RCE: 30.31% of observed traffic.
  • Jenkins ScriptText RCE: 22.28% of observed traffic.
  • Telnet Weak Passwords: 10.36% of observed traffic.
  • Redis: 8.29% of observed traffic.

While the MCP exploitation vector (mcp_cmd_execute) accounts for only 0.78% of observed traffic, it remains a significant threat due to the widespread use of unauthenticated MCP services.

Recommendations for Mitigation

Organizations are advised to take the following steps to protect against NadMesh:

  1. Secure Exposed Services: Ensure that AI tools, Docker APIs, Jenkins consoles, Redis, and other services are secured with proper authentication and firewalled from public access.
  2. Patch Vulnerabilities: Address known vulnerabilities, including CVE-2026-39987 and CVE-2026-41176, which are actively exploited by the botnet.
  3. Monitor for Compromise: Check for indicators of compromise, such as unauthorized SSH keys, suspicious cron jobs, and unexpected files in /dev/shm, /var/tmp, or /tmp.
  4. Revoke Compromised Credentials: Immediately revoke any compromised cloud credentials, cluster tokens, or registry logins.

Conclusion

The emergence of the NadMesh botnet highlights the growing risk of exposed AI services and the importance of securing cloud credentials. Organizations must remain vigilant and proactive in protecting their infrastructure from sophisticated threats like NadMesh.