Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Lambsys custom XMRig miner activity on SSH-reachable hosts

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The lambsys malware is now being used to deploy a custom XMRig miner and spread to SSH-reachable hosts, turning compromised systems into persistent cryptomining infrastructure. The activity pairs defense evasion with cron-based persistence, increasing the chance that infected servers keep mining after the initial intrusion. It also uses a staged delivery chain that starts from exploited Langflow endpoints and expands the footprint beyond the first victim host.

Related Happenings

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
H score50 First: 20.03.2026 12:20 Last: 20.03.2026 12:20 Sources 1

How related: Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner.

About this happening: **CVE-2026-33017** in **Langflow** is being exploited in a **wider exploitation wave** that now includes **Monero miner** delivery against **exposed AI application endpoints**. Th...

Open Happening

Timeline

  1. 30.06.2026 18:47 2 articles · 2h ago

    Langflow flaw drives lambsys and XMRig deployment

    Exploitation Observed

    Attackers are exploiting CVE-2026-33017 in Langflow to run attacker-supplied Python inside an unauthenticated API endpoint, download a shell script, launch the lambsys binary, disable host defenses, establish cron persistence, spread through reused SSH keys, and fetch a bespoke XMRig miner on exposed AI application endpoints.

    Show sources
    Open in new tab