NadMesh Botnet Targets Exposed AI Services for Cloud Credentials

A recently identified botnet named NadMesh has been actively targeting exposed AI services to extract cloud credentials and Kubernetes tokens. This Go-based malware emerged in early July 2026, with its operator’s dashboard reporting the acquisition of 3,811 unique AWS keys.

NadMesh employs Shodan to scan for vulnerable AI services, including ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. These platforms, often rapidly deployed without adequate firewall protections, become prime targets for the botnet.

The botnet’s intelligence feed indicates that, among its last 100 records, there were 47 instances of credential harvesting and 41 model inventories. Notably, some inventories are tagged with identifiers like DeepSeek, GLM, and Kimi, suggesting that the botnet’s reach extends beyond the initial host to associated cloud environments.

QiAnXin’s XLab published a report on July 10, 2026, detailing NadMesh’s activities. The report highlights discrepancies in the botnet operator’s dashboard metrics, such as a counter showing 17,700 total deployments alongside a funnel indicating 95,700 in the past 24 hours. Additionally, the dashboard lists 16 active bots in one section and 12 in another. XLab’s external sensors observed a significant increase in distinct source IPs distributing NadMesh, rising from near zero in late June to approximately 139 per day in early July.

NadMesh is designed to extract sensitive information from infected systems, including cloud keys from environment variables, Kubernetes service account tokens, and contents of configuration files like ~/.aws/config, .env, and ~/.docker/config.json. The primary objective appears to be obtaining cloud credentials and Kubernetes cluster privileges rather than compromising the host systems themselves.

The botnet prioritizes exploiting the Model Context Protocol (MCP) above other services like Kubernetes, Docker API, and Redis. It utilizes a JSON-RPC tools/call to execute_command, though no specific CVE has been associated with this vector. The initial MCP specification did not include authentication, and while an optional authorization flow was added in March 2025, many deployments still lack proper security measures. As of April 28, 2026, Censys identified 12,520 accessible MCP services across 8,758 IP addresses, increasing to over 21,000 by May 6, with approximately 90 advertising a tool capable of executing commands.

Despite the focus on AI services, XLab’s analysis of NadMesh’s exploit traffic reveals that Docker API remote code execution accounts for 30.31% of observed activity, Jenkins script console RCE for 22.28%, Telnet weak passwords for 10.36%, and Redis for 8.29%. The MCP command execution vector, mcp_cmd_execute, constitutes only 0.78% of the observed traffic, indicating that while AI services are targeted, traditional services remain significant attack vectors.

In summary, NadMesh represents a sophisticated threat that leverages exposed AI services to harvest cloud credentials and Kubernetes tokens. Organizations deploying AI platforms must prioritize securing these services to prevent unauthorized access and potential exploitation by such botnets.

The emergence of NadMesh underscores the evolving landscape of cyber threats targeting AI infrastructures. As AI services become more integral to business operations, ensuring their security is paramount. Organizations should implement robust authentication and authorization mechanisms, regularly update and patch systems, and conduct thorough security assessments to identify and mitigate vulnerabilities. The rapid deployment of AI services without adequate security measures can lead to significant risks, emphasizing the need for a proactive approach to cybersecurity in the AI domain.