Find notable cyber news and cases, enriched with sources, timelines, and signals.

NadMesh exposed AI services scanning campaign

Campaign
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The NadMesh campaign is repeatedly resampling exposed ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio systems, keeping pressure on internet-facing AI and admin services. Its automated queueing and rescan logic raise the odds of credential theft and later abuse of whatever it finds. The operation is notable because it is not a one-pass scan; it keeps returning to the same high-value hosts and subnets. That sustained targeting broadens exposure across teams that deployed AI tooling before hardening it.

Related Happenings

NadMesh botnet hunts exposed AI services for AWS keys and Kubernetes tokens

Malware Activity
H score25 First: 17.07.2026 20:12 Last: 17.07.2026 20:12 Sources 1

How related: A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys.

About this happening: The NadMesh botnet is actively hunting exposed AI services and stealing AWS keys and Kubernetes tokens, creating immediate cloud-account takeover risk. Its con...

Timeline

  1. 17.07.2026 20:12 2 articles · 1h ago

    NadMesh exposed AI services scanning campaign

    Initial Disclosure

    In early July 2026, NadMesh began focusing on exposed AI and workflow services and immediately built a repeat-targeting loop around hits. The first phase was broad discovery followed by denser rescans of the same subnets and newly flagged hosts.

    Show sources