NATS-as-C2: Cloud Credential and AI Key Exfiltration

Key Takeaways

• On May 14, 2026, the Sysdig Threat Research Team published what it describes as the first documented use of NATS — a cloud-native pub/sub messaging system — as command-and-control (C2) infrastructure, in a campaign the team named “NATS-as-C2.”
• The campaign gained initial access by exploiting CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow (CVSS 9.3–9.8) that CISA added to the Known Exploited Vulnerabilities (KEV) catalog on March 25, 2026, with a federal remediation deadline of April 8, 2026.
• The operation, internally labeled “KeyHunter” by its operator, deployed a distributed worker pool targeting twelve credential patterns covering AWS, GitHub, OpenAI, Anthropic, Google, Slack, Stripe, private keys, JWTs, and database URLs — a scope that directly reflects the expanding attack surface created by AI service adoption in cloud environments.
• Workers used a statically-linked Go binary embedding gitleaks v8.24.3 and the uTLS library to mimic legitimate browser TLS fingerprints, substantially bypassing JA3/JA4-based bot detection deployed by Cloudflare and Akamai.
• Post-compromise reconnaissance systematically targeted AWS Bedrock endpoints for LLMjacking — using stolen cloud credentials to invoke foundation models at victim expense.
• Organizations running AI development platforms, workflow orchestration tools, or visual pipeline builders in internet-accessible configurations should treat immediate credential rotation and network egress controls as non-deferrable security actions.

Background

NATS is an open-source, high-performance messaging system stewarded by the Cloud Native Computing Foundation, designed to enable publish/subscribe, request/reply, and stream-based communication across distributed cloud architectures. [5] It is widely deployed in microservices platforms, edge computing environments, and Kubernetes clusters, where its sub-millisecond latency and minimal resource footprint make it a natural backbone for service-to-service communication. NATS JetStream, the system’s persistence layer, adds durable consumer queues, message replay, and explicit acknowledgment semantics to the core pub/sub model — capabilities that place it alongside Apache Kafka and RabbitMQ as enterprise-grade messaging infrastructure.

These characteristics, developed entirely for legitimate use, create a compelling profile for adversarial infrastructure. NATS traffic over its default port (4222) is present in a growing share of cloud-native environments, consistent with broader CNCF ecosystem adoption trends, meaning outbound connections to a NATS server can evade anomaly detection systems calibrated to flag recognizable C2 channels such as raw HTTP panels, IRC, or well-known malware beacons. More significantly, NATS implements subject-level access control lists at the server, allowing an operator to restrict precisely what each connected client can publish or subscribe to. This provides built-in operational compartmentalization: compromised worker nodes cannot read each other’s task assignments, cannot access the results channel, and cannot observe the operator’s control subjects — a structural security property that most commodity HTTP-based C2 panels do not offer at the protocol level.

This architecture came to light when the Sysdig Threat Research Team investigated exploitation of CVE-2026-33017, a critical unauthenticated remote code execution vulnerability in Langflow. [1] Langflow is a widely used open-source platform for visually building and orchestrating AI agent pipelines, and its exposed position as a development and deployment tool means it frequently exists in environments where cloud service credentials, AI provider API keys, and infrastructure access tokens are present in process memory or container environment variables. Attackers who could execute arbitrary code on a Langflow host had a direct and immediate path to those assets.

Security Analysis

Initial Access: CVE-2026-33017 in Langflow

CVE-2026-33017 affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint in Langflow, which was designed to allow unauthenticated users to build and preview publicly shared flows. [2] The vulnerability arises because the endpoint accepts attacker-supplied workflow data containing embedded Python code and executes it on the underlying host without sandboxing, input validation, or any authentication requirement — a single HTTP request is sufficient to achieve arbitrary code execution. The flaw carries a CVSS score of 9.3 under some evaluations and 9.8 under CVSS 3.1, and CISA added it to the Known Exploited Vulnerabilities catalog on March 25, 2026, requiring federal civilian agencies to remediate by April 8, 2026. [3, 10]

The Sysdig team observed exploitation in an instrumented environment beginning at 09:09 UTC, with successful RCE confirmed at 09:12. The attacker’s initial payload dumped process environment variables — a single operation that exposed live AWS access keys configured for the Langflow container. The first external AWS API call, a sts:GetCallerIdentity validation, was recorded at 09:21 UTC, confirming the stolen keys were active. The entire sequence from first probe to validated cloud credential took under fifteen minutes. [1, 4] JFrog Security Research subsequently noted that the initial Langflow patch did not fully close the vulnerability in all configurations, meaning organizations that applied the first available update remained exposed until a subsequent fix was issued. [12]

NATS C2 Architecture and Worker Pool

The campaign’s C2 infrastructure centered on an authenticated NATS server at 45.192.109.25 on port 14222, with a DigitalOcean-hosted staging server at 159.89.205.184 serving worker installation artifacts. [1] The operator named the project “KeyHunter” and provided two worker implementations: a 10,979-byte Python script (keyhunter_worker.py, SHA-256: 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6b004c) serving as a fallback, and a statically-linked 9.4 MB Go binary (worker-linux-amd64, SHA-256: dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f1c25) as the primary agent. The installer (deploy.sh, SHA-256: 16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b72d101a) supported both x86_64 and ARM architectures, suggesting intended distribution across heterogeneous cloud provider environments.

Each worker subscribed to four independent task subjects, each representing a distinct monetization pathway: [1]

The NATS JetStream configuration used PullSubscribe with AckExplicit semantics, ensuring tasks not acknowledged by a worker — due to a failed or interrupted execution — were automatically requeued for any available node, making the operation tolerant of individual worker failures.

The NATS server’s ACL enumerated a specific set of authorized publish subjects: heartbeat.worker, worker.hb, worker.heartbeat, result.scan, scan.result, result, worker.result, kh.result, keyhunter.result, and workers.heartbeat. A compromised worker could report results and emit heartbeats, but could not observe the task queue, read other workers’ outputs, or communicate with the operator’s control plane. This subject-level restriction enforces operational compartmentalization — a structural security property that most commodity HTTP-based C2 panels do not offer at the protocol level.

Credential Targeting Scope

The Python worker embedded a 12-pattern regex engine designed to match the wire formats of AWS access keys, GitHub personal access tokens, OpenAI API keys, Anthropic credentials, Google secrets, Slack tokens, Stripe API keys, RSA and EC private keys, JSON Web Tokens, and database connection strings. [1] The Go binary supplemented regex matching by invoking gitleaks v8.24.3, a purpose-built secret scanning tool that applies its own extensive detection rules to repository content, file trees, and environment variable dumps — providing coverage depth where the regex engine provided speed. [9] For JavaScript-heavy Cloud Development Environment targets, the binary launched a headless-browser sidecar component to render pages that could not be scraped directly.

CodePen targets were handled with particular sophistication, with the Go binary implementing four distinct extraction methods — extractViaInitData, extractViaNextData, extractViaPenVar, and extractViaTextarea — applied in sequence to maximize the probability of recovering embedded credentials regardless of how the platform served its page data. [1]

The explicit inclusion of Anthropic and OpenAI API key patterns — alongside the post-compromise Bedrock reconnaissance — suggests AI provider credentials were a deliberate priority for this operator, not simply an artifact of reusing existing scanning tooling. As organizations have integrated commercial LLM APIs into applications, those credentials increasingly appear in container environment variables, CI/CD pipeline secrets, and development platform configurations. A single high-quota Anthropic or OpenAI API key represents directly monetizable value through inference resale — selling access to other criminal actors who want to generate content, bypass ethical guardrails, or run AI workloads without incurring the associated costs. [11]

TLS Fingerprint Evasion

The Go binary incorporated uTLS v1.8.2, a library that overrides Go’s standard TLS implementation to mimic the specific TLS fingerprint — including cipher suite ordering, extension negotiation, and record structure — of popular web browsers. [1] Bot detection systems deployed by Cloudflare, Akamai, and other edge security vendors commonly use JA3 and JA4 fingerprinting to distinguish automated clients from real browsers; Go’s default TLS stack produces a distinctive fingerprint that these systems identify and block. By spoofing a Chrome or Firefox fingerprint, the binary’s requests to credential-bearing platforms appeared to originate from standard browser traffic, substantially bypassing JA3/JA4-based detection at the platforms the binary targeted. The presence of this technique in what appears to be a commodity credential-harvesting operation — rather than an advanced persistent threat toolkit — suggests TLS fingerprint evasion has crossed into more accessible criminal tooling.

Post-Compromise: LLMjacking via AWS Bedrock

Once stolen AWS credentials were validated, the operator conducted systematic reconnaissance over a four-hour window. The API call sequence went beyond standard infrastructure enumeration: the operator specifically invoked Bedrock:InvokeModel, Bedrock:ListInferenceProfiles, and Bedrock:ListModelInvocationJobs to identify and access AWS Bedrock-hosted foundation model endpoints. [1] This pattern is consistent with LLMjacking — the use of stolen cloud credentials specifically to consume AI inference capacity at the victim’s expense, either for direct use or for resale to other parties seeking access to frontier AI capabilities without paying for them. [11]

The broader reconnaissance scope — covering S3 buckets, EC2 instances, Lambda functions, IAM policies, SageMaker endpoints, ECS clusters, and SSO instances — indicates the operator was simultaneously evaluating whether the compromised account offered escalation paths to additional credentials or persistent footholds. The sts:GetCallerIdentity call that initiates this sequence is a benign AWS API operation that generates no billing events. Organizations relying on cost-anomaly alerting as a proxy for unauthorized API key use would therefore receive no alert from this initial validation step, allowing credential theft to go undetected until more resource-intensive Bedrock invocations begin.

The installer configured a systemd unit with Restart=always to survive reboots and elevated file descriptor limits to 65,535 for high-concurrency operation. The absence of forensic hardening — no HISTFILE suppression, no journal disabling, no cleanup routines — indicates the operator favored disposable VPS infrastructure over persistent footholds, consistent with a high-throughput operation designed to process compromised hosts rapidly rather than maintain prolonged access to any individual target.

Recommendations

Immediate Actions

Organizations running Langflow must upgrade to version 1.9.0 or later and verify that the specific code path identified by JFrog has been addressed, as the initial patch did not fully remediate the vulnerability in all configurations. [2, 12] Any organization that operated an internet-facing Langflow instance prior to patching should treat all credentials accessible to that host as potentially compromised and rotate them without delay: AWS access keys, AI API keys (OpenAI, Anthropic, Google), GitHub tokens, database connection strings, and any other secrets present in the container’s environment or reachable file system. Network defenders should block egress to 45.192.109.25 on port 14222 and to 159.89.205.184 on port 8888, and should search CloudTrail logs for sts:GetCallerIdentity calls followed by Bedrock API invocations from unfamiliar source addresses.

Short-Term Mitigations

The NATS-as-C2 technique demonstrates the inadequacy of egress filtering strategies that focus exclusively on known-bad IP addresses. Organizations should implement egress controls that restrict outbound TCP traffic on port 4222 and port 14222 — the NATS default and its common alternatives — to explicitly approved internal infrastructure. More broadly, any internet-accessible AI development platform, including workflow orchestrators, visual pipeline builders, and LLM development environments, should be treated as a high-sensitivity network zone requiring restricted egress, not a development convenience exposed to the open internet.

Secrets management practices warrant review wherever AI workloads are involved. Environment variables are a common and convenient mechanism for passing API keys to AI agent containers, but they expose credentials to any process capable of dumping the process environment — an operation requiring minimal privileges in most Linux container configurations. A centralized secrets management system that injects credentials at runtime using ephemeral references substantially reduces the persistent exposure that makes a single-container compromise so immediately valuable to an attacker.

Detection teams should build monitoring rules for unexpected NATS connections from production workloads, for sts:GetCallerIdentity calls followed by Bedrock invocations outside established usage patterns, and for gitleaks binary execution within containerized environments. The co-occurrence of these three signals in a single incident context constitutes a high-confidence indicator of the NATS-as-C2 credential harvesting pattern.

Strategic Considerations

The KeyHunter campaign reflects a structural risk in the AI platform ecosystem: the environments where AI workloads are built and tested are often among the most credential-dense systems in an organization’s infrastructure. AI agent pipelines require API keys to reach LLM providers, cloud storage credentials to access training data, and service account tokens to call dependent services. Concentrating multiple high-value credentials — LLM provider keys, cloud storage access, and service account tokens — in a single internet-accessible platform creates a target that is simultaneously high-value and, as CVE-2026-33017 demonstrated, potentially accessible with a single unauthenticated HTTP request.

Organizations should evaluate whether AI development and deployment environments are appropriately isolated from production infrastructure, whether AI provider API keys are scoped to the minimum necessary permissions and rate limits, and whether centralized monitoring covers AI service usage alongside traditional cloud service consumption. The explicit targeting of Anthropic and OpenAI credentials in the KeyHunter operation signals that AI platform credentials have become a valued and intentionally targeted asset for financially motivated threat actors, not merely an incidental byproduct of generic cloud credential harvesting.

CSA Resource Alignment

The NATS-as-C2 technique connects to several areas of CSA’s published research and framework guidance. CSA’s MAESTRO framework (Multi-Agent Environment Security, Threat, Risk, and Observability) addresses the risks introduced by agentic AI architectures and the trust boundaries between AI pipeline components, cloud infrastructure, and external service endpoints — the same attack surface that KeyHunter exploited by targeting the integration points between Langflow, cloud provider APIs, and commercial LLM provider credentials. MAESTRO’s emphasis on monitoring and observability at the AI-cloud boundary is directly applicable to detecting the Bedrock reconnaissance pattern documented in this campaign.

CSA’s Cloud Adversarial Vectors, Exploits, and Threats (CAVEaT) matrix provides a cloud-specific lens for mapping this attack to MITRE ATT&CK techniques. The table below maps the campaign’s three primary techniques using the CAVEaT framework’s taxonomy of cloud-specific threat patterns, providing practitioners a vocabulary for documenting and escalating these risks within cloud security operations programs.

CSA’s Zero Trust guidance applies directly to the mitigations this campaign demands. Denying all egress traffic not explicitly permitted — a foundational Zero Trust network principle — would have blocked the worker’s connection to the NATS C2 server. Identity-based access controls for cloud service credentials, combined with just-in-time provisioning rather than persistent environment variable injection, would have reduced the yield of a single-container compromise to near zero. CSA’s AI Controls Matrix provides an additional governance framework for organizations implementing controls around AI API access management, including the provisioning, rotation, and monitoring of credentials used by AI workloads in cloud environments.

References

[1] Sysdig Threat Research Team. “NATS-as-C2: Inside a new technique attackers are using to harvest cloud credentials and AI API keys.” Sysdig, May 2026.

[2] Sysdig Threat Research Team. “CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours.” Sysdig, 2026.

[3] CISA. “Known Exploited Vulnerabilities Catalog.” Cybersecurity and Infrastructure Security Agency, continuously updated.

[4] CybersecurityNews. “Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker.” CybersecurityNews, 2026.

[5] NATS.io. “About NATS.” NATS, accessed May 2026.

[6] MITRE. “Application Layer Protocol, T1071.” MITRE ATT&CK Enterprise, accessed May 2026.

[7] MITRE. “Exfiltration Over C2 Channel, T1041.” MITRE ATT&CK Enterprise, accessed May 2026.

[8] MITRE. “Exploit Public-Facing Application, T1190.” MITRE ATT&CK Enterprise, accessed May 2026.

[9] gitleaks. “gitleaks: Protect and discover secrets using regex engine.” GitHub, accessed May 2026.

[10] Sharma, S. “Attackers exploit critical Langflow RCE within hours as CISA sounds alarm.” CSO Online, March 2026.

[11] Sysdig Threat Research Team. “LLMjacking: Stolen Cloud Credentials Used in New AI Attack.” Sysdig, May 2024.

[12] JFrog Security Research. “Langflow CVE-2026-33017: Latest ‘fixed’ version is still exploitable.” JFrog, 2026.