A new Go-based botnet called NadMesh is systematically scanning the internet for exposed AI services and stealing cloud credentials at industrial scale. Discovered by QiAnXin's XLab in early July, the malware has already compromised thousands of deployments. The operator's own command dashboard claims 3,811 unique AWS keys harvested, alongside Kubernetes tokens, Docker configs, and AI model access credentials.

The name comes from the string "n4d mesh controller" embedded in the malware's source code. Unlike earlier AI-targeted botnets that hijacked GPU cycles for cryptocurrency mining (a tactic seen as recently as April), this is a fundamentally different threat. NadMesh is not interested in your compute. It wants your keys.

"The operator is after not the host itself, but the cloud credentials and Kubernetes cluster privileges on it," XLab researchers wrote in their analysis. With more than 17,700 total deployments shown on the operator's dashboard, the botnet is far from finished.

The Rise of NadMesh

NadMesh represents a dangerous evolution in AI-targeted cyberattacks. Previous campaigns focused on hijacking GPU resources for crypto mining. NadMesh goes after the cloud credentials that AI deployments leave exposed, and the payload is far more damaging. Once an operator has your AWS keys, they have access to everything inside your cloud environment, not just the single compromised machine.

The botnet was discovered in late June when XLab's sensors detected a sudden spike in scanning activity targeting AI infrastructure ports. Distinct source IPs pushing NadMesh sat near zero through late June, then went vertical in the first week of July to roughly 139 per day. The operator's own dashboard contains contradictory numbers (one counter shows 17,700 total deploys while another claims 95,700 in the past 24 hours), but the volume is clearly significant regardless of the exact figure.

Among the dashboard's last 100 intelligence records, 47 show credential hauls and 41 show model inventories. Those inventories carry identifiers for DeepSeek, GLM, and Kimi models tagged as cloud-deployed, suggesting the botnet's reach extends well beyond the initial compromise.

How NadMesh Operates

NadMesh is built on Go and uses Garble obfuscation combined with UPX packing, meaning no two builds share the same cryptographic hash. This makes signature-based detection nearly useless. The botnet maintains persistence through three simultaneous mechanisms, ensuring that removing it from one location does not stop it from coming back.

The scanning pipeline is continuously fed by a Shodan harvester that identifies exposed instances of popular AI tools. The target list reads like a who's who of the modern AI stack: ComfyUI (image generation), Ollama (local model serving), n8n (workflow automation), Open WebUI (LLM interfaces), Langflow (visual AI builders), and Gradio (ML demos). These tools typically listen on default ports 8188, 11434, 7860, and 5678, ports that are frequently left open to the internet during rapid prototyping.

Once a target is found, NadMesh scrapes environment variables, ~/.aws/config files, .env files, and ~/.docker/config.json. It pulls Kubernetes service account tokens, Docker API credentials, and Redis authentication strings. The stolen credentials are then used to pivot into cloud infrastructure, giving the operator access to far more than the single compromised machine.

XLab observed the exploit traffic and found that Docker containers API RCE is the top vector at 30.31% of attempts, followed by Jenkins script text RCE at 22.28%, Telnet brute force at 10.36%, and Redis at 8.29%.

The MCP Problem Nobody Is Talking About

Perhaps the most concerning aspect of NadMesh is its targeting of the Model Context Protocol (MCP). The botnet actively scans for MCP services and prioritizes them above Kubernetes, Docker, and Redis in its exploitation order. The JSON-RPC call at the top of its priority table is tools/call to execute_command.

MCP is a relatively new protocol designed to let AI models interact with external tools and data sources. The problem is that authentication was deliberately left outside the core protocol specification. Even the optional authorization flow added in March 2025 remains optional in the spec's own words. As a result, thousands of MCP deployments are sitting on the open internet with no authentication at all.

XLab counted 12,520 reachable MCP services across 8,758 IP addresses as of April 28. That number ballooned to more than 21,000 by May 6. Of those, roughly 90 advertised a tool that could run commands. On 39 of them, that tool was literally named execute_command, the exact call at the top of NadMesh's exploitation table.

The botnet's own MCP dashboard shows 12,100 services marked as exploitable. This is an attack surface that has grown faster than the community's ability to secure it, and NadMesh is the first major botnet to weaponize it at scale.

What Founders and AI Teams Need to Do Now

For any startup or team running AI services, the takeaway is brutally simple: the credentials sitting in your environment variables are a ticking time bomb. NadMesh is automated, persistent, and actively scanning right now.

First, never expose AI service ports to the public internet without a reverse proxy and authentication layer. ComfyUI, Ollama, and Open WebUI should sit behind VPNs or at minimum require API keys. Default configurations are not secure configurations.

Second, audit your environment variables and credential files. NadMesh specifically targets ~/.aws/config and .env files. Use secret management services instead of leaving credentials in files or environment variables on disk. Tools like HashiCorp Vault, AWS Secrets Manager, or Doppler can eliminate this entire attack vector.

Third, if you are running MCP services, add authentication immediately. The protocol does not enforce it, but that does not mean you should skip it. Every unauthenticated MCP endpoint is an open door, and NadMesh is walking through all of them.

Fourth, monitor for unexpected outbound connections from AI infrastructure. NadMesh needs to phone home with stolen credentials. Egress filtering and anomaly detection on network traffic can catch exfiltration before credentials are weaponized.

The era of "ship first, secure later" for AI tools is over. The botnets have arrived, and they are reading your .env files faster than you are shipping features.