Canadian Cyber Security Journal
SOCIAL:
Filed under: TechTalk

NadMesh Botnet Targets Exposed AI Services for AWS Keys and Kubernetes Tokens — What Canadian Cloud and Developer Teams Must Know

What Happened

Researchers disclosed a Go-based botnet called NadMesh in early July 2026 — identified in code as the “n4d mesh controller” — actively scanning for and exploiting exposed AI services and Model Context Protocol servers. The botnet operates from attacker-controlled VPS nodes and integrates scanning, exploitation, credential theft, and AI service intelligence into a single mesh infrastructure.

NadMesh sweeps 30 ports associated with web services, Kubernetes, Docker, databases, monitoring, and AI endpoints. Priority targets include port 8188 (ComfyUI), 11434 (Ollama), 5678 (n8n), and 7860 (Gradio). When the botnet finds an exposed service, it extracts cloud credentials from environment variables, Kubernetes service account tokens from default paths, and configuration files including ~/.aws/config, .env, and ~/.docker/config.json. The operator’s own dashboard claims 3,811 unique AWS keys harvested. Docker API remote code execution accounts for 30 percent of observed exploit traffic, with Jenkins script-console RCE representing another 22 percent. Source: The Hacker News

Why This Matters for Canadian Organizations

Canadian developers and engineering teams adopted AI tooling quickly over the past two years — running local model servers on Ollama, building automation workflows in n8n and Langflow, and deploying image generation with ComfyUI and Gradio. Many of these deployments are stood up on cloud VMs or developer workstations and protected inadequately, or not at all, with public-facing ports left open for convenience.

NadMesh is not an opportunistic script; it is a maintained, evolving framework with a dashboard indicating active operator involvement. AWS credentials stolen from these services carry immediate financial and data risk — attackers with AWS keys can access S3 buckets, spin up compute resources, exfiltrate databases, and destroy backups. Kubernetes service account tokens can give cluster-level access. For Canadian organizations in financial services, development, or government operating under OSFI B-13 or PIPEDA, a credential compromise via an exposed AI service constitutes a reportable incident. The OSFI B-13 guideline requires organizations to protect information assets including third-party and cloud environments; exposed AI services without authentication controls fail that standard directly.

What to Do

Audit all self-hosted AI services in your environment and confirm none expose ports 8188, 11434, 5678, 7860, or associated MCP endpoints to the public internet. Apply authentication controls — API keys, VPN-only access, or network-level ACLs — to any AI or MCP service you operate. Review environment variables and configuration files on AI service hosts for embedded cloud credentials, and rotate any AWS keys or Kubernetes tokens that were accessible. Scan Docker daemon sockets and Jenkins instances for public exposure — both are primary exploit vectors for NadMesh. Organizations using Langflow should confirm they are running version 1.10.0 or later, which patches the previously exploited CVE-2026-5027 path traversal flaw, as NadMesh specifically targets legacy Langflow instances.

Enjoy this article? Don’t forget to share.