How are exposed ComfyUI instances being targeted for cryptomining botnets?

Exposed ComfyUI instances are being targeted through a sophisticated automated campaign that leverages internet scanning and exploitation of the platform's vulnerabilities. Attackers use a purpose-built Python scanner that continuously sweeps major cloud IP ranges to identify publicly accessible ComfyUI instances. Once a vulnerable target is detected, the campaign exploits security weaknesses, often through the ComfyUI-Manager component, to install malicious nodes. These nodes then enlist the compromised instances into a botnet that performs cryptocurrency mining and proxy activities, effectively hijacking the computational resources of these systems. The attack is particularly concerning because it automates the entire process, from discovery to exploitation, allowing attackers to rapidly scale their operations. Users running ComfyUI should ensure their instances are not publicly exposed, apply security patches promptly, and monitor for unauthorized resource usage to prevent such attacks.

📖 Read the full article: Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign