The New Botnet That's Stealing AWS Keys from Exposed AI Services

ยท
Listen to this article~3 min
The New Botnet That's Stealing AWS Keys from Exposed AI Services

A Go botnet called NadMesh appeared in early July, hunting exposed AI services. Its dashboard shows 3,811 stolen AWS keys. It targets ComfyUI, Ollama, and other tools that teams often leave unsecured.

In early July, a Go-based botnet called NadMesh appeared on the scene, targeting exposed AI services. According to the operator's own dashboard, it has already captured 3,811 unique AWS keys. That's a big number, and it's only growing. ### How It Works NadMesh uses a Shodan harvester to keep its scan queue full. It's hunting for specific tools: ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio. These are the image generators, local model runners, and workflow builders that teams often set up quickly but forget to secure. They're easy to deploy, but their firewalls often come late. ### What's at Stake Once NadMesh finds a vulnerable service, it extracts cloud keys and Kubernetes tokens. These credentials can give attackers access to your entire cloud infrastructure. Think about it: one exposed AI service could lead to a full-scale data breach. And with over 3,800 AWS keys already stolen, this isn't a small operation. ### Who's Behind It? The botnet's dashboard is a clear sign that the operators are organized. They're tracking their progress and likely selling the stolen keys on dark web markets. This isn't just a random hacker; it's a professional operation. ### How to Protect Yourself - **Audit your exposed services.** Check if any of the mentioned tools are running without proper security. - **Use firewalls and VPNs.** Don't leave your AI services open to the public internet. - **Monitor your cloud accounts.** Look for unusual activity, especially new API calls or access from unknown IPs. - **Rotate keys regularly.** If you suspect a leak, change your AWS keys and Kubernetes tokens immediately. ### The Bigger Picture This botnet is a wake-up call for teams that deploy AI tools quickly. The convenience of standing up a service in minutes often comes at the cost of security. NadMesh is proof that attackers are watching and ready to exploit any gap. Don't let your team be the next victim.