Attackers are mass scanning the internet for exposed Langflow servers, a popular open source tool for building AI workflows, and abusing a critical bug to quietly take them over and mine cryptocurrency. The campaign was detailed by researcher Simon Dulude at Trend Micro.
Langflow is a Python framework for building large language model (LLM) applications as visual flow graphs. The flaw, tracked as CVE-2026-33017, lets anyone who can reach a Langflow instance run code on the server without logging in (an unauthenticated remote code execution bug). Trend Micro tracked a single operator exploiting it across a 19 day window.
The miner payload itself is old, commodity malware. What is new is the front door. The same kind of criminals who for years rode exposed Docker APIs, Confluence flaws, and SSH brute forcing are now hunting exposed AI application endpoints. As the report puts it, Langflow is today the target, but the pattern generalizes to any AI pipeline tool deployed with default credentials or missing authentication.
How the attack works
Langflow has an API endpoint that accepts a block of code and runs it as Python inside the service. It was meant to let users prototype flows without logging in. On any instance exposed to the internet, it instead hands full server side code execution to anyone who sends a request. The danger is amplified by a default setting, AUTO_LOGIN, that issues unauthenticated visitors a superuser token. That default was fixed in a March 13, 2026 commit.
The attacker sends a single line that pulls down a shell script (isp.sh) from hxxp[://]83[.]142[.]209[.]214, which downloads a Go based controller named lambsys, runs it, and then tries to spread. Before it mines anything, lambsys spends its first seconds seizing the machine: it kills rival miners by process name and by mining pool port, disables AppArmor, UFW, iptables, SELinux, and a cloud security agent, deletes system logs, and plants cron and shell loop persistence that re pull the binary if it is removed. It then beacons to its command server roughly every two minutes and launches a customized XMRig miner pointed at a mining pool.
Why one server can become many
The dropper doubles as an SSH worm. It reads private keys such as id_rsa, the known_hosts file, and the live SSH agent, then copies itself to every host the victim can already authenticate to, with no password prompt. A single exposed Langflow box running as root on a build server can therefore become a foothold into hundreds of production systems. Trend Micro urges incident responders to treat any lambsys discovery as an SSH key exposure event, not a single host mining nuisance.
Trend Micro assesses the operator as a standalone actor rather than a known crew. The Monero wallet baked into the miner appears in this family alone, unlike groups such as Kinsing or TeamTNT that reuse wallets across many samples. The toolset has been quietly maintained for at least two years, recompiled and repacked to drop its antivirus detection rate from 31 of 66 engines to just 4 of 66.
What you should do
Apply Langflow security updates and confirm whether any instance is reachable from the public internet. Restrict public access, and run Langflow under a low privilege account rather than root so a single compromise cannot reach the rest of your network. This is the second remote code execution bug of this class in Langflow within a year: CVE-2025-3248 was abused by the Flodrix DDoS botnet in June 2025 using essentially the same trick.
Indicators of compromise
- Delivery and command server: 83[.]142[.]209[.]214
- Earlier command server: 94[.]156[.]64[.]241
- Dropper script: isp.sh, controller binary: lambsys, miner: procq
- Persistence directory: /var/tmp/.xlamb
- Vulnerabilities: CVE-2026-33017 (Langflow), CVE-2025-3248 (earlier Langflow RCE)
Related coverage: Researchers weaponize Microsoft Copilot and AI agents to steal data.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.